Corrine Posted June 20, 2023 Share Posted June 20, 2023 Via Bleeping Computer: An unknown threat actor is brute-forcing Linux SSH servers to install a wide range of malware, including the Tsunami DDoS (distributed denial of service) bot, ShellBot, log cleaners, privilege escalation tools, and an XMRig (Monero) coin miner. SSH (Secure Socket Shell) is an encrypted network communication protocol for logging into remote machines, supporting tunneling, TCP port forwarding, file transfers, etc. Network administrators typically use SSH to manage Linux devices remotely, performing tasks such as running commands, changing the configuration, updating software, and troubleshooting problems. However, if those servers are poorly unsecured, they might be vulnerable to brute force attacks, allowing threat actors to try out many potential username-password combinations until a match is found. See the referenced article for additional information. 2 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted June 20, 2023 Share Posted June 20, 2023 Looks to be very easy to block and doesn't make it out of userspace. Basically use strong password or disable passwords and only use keys, use fail2ban and other things. Quote There are a number of ways to protect your SSH credentials from brute force attacks. The most common and effective way is to use a strong password. A strong password should be at least eight characters long and should include a mix of letters, numbers, and symbols. It should also be changed regularly. Another way to protect your SSH credentials from brute force attacks is to use two-factor authentication. Two-factor authentication requires users to provide both a password and a code generated by an authenticator app or device in order to log in. This makes it much more difficult for attackers to gain access to your account, even if they have your password. You can also protect your SSH credentials by limiting the number of failed login attempts. After a certain number of failed login attempts, the account will be locked and the user will need to contact an administrator in order to regain access. Finally, you can use a tool like fail2ban to automatically ban IP addresses that are associated with brute force attacks. This will prevent the attacker from even attempting to log in, as their IP address will be blocked.... https://thesecmaster.com/tips-to-protect-your-linux-systems-from-rapperbot-malware/#Tips_to_Protect_Your_Linux_Systems_from_Rapp Fail2Ban is too common for those that use ssh to not implement. Basically another one of those 'poorly implemented services' attacks. 1 1 Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted June 20, 2023 Share Posted June 20, 2023 HA-HA! Beat you to it, @Corrine, but I posted mine in the Security area of the board. 1 1 Quote Link to comment Share on other sites More sharing options...
crp Posted June 28, 2023 Share Posted June 28, 2023 i wonder why sftp is not effected. Quote Link to comment Share on other sites More sharing options...
securitybreach Posted June 28, 2023 Share Posted June 28, 2023 15 hours ago, crp said: i wonder why sftp is not effected. Well sftp isn't ssh. Quote Link to comment Share on other sites More sharing options...
.thumb.jpg.7c3caaf218a75d76e16db7a5bddfb463.jpg)
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.