Re: Attacks on ssh port

From: Willem Jan Withagen (
Date: 09/19/04

  • Next message: Peter Radcliffe: "Re: Attacks on ssh port"
    Date: Sun, 19 Sep 2004 00:25:51 +0200
    To: "David D.W. Downey" <>

    David D.W. Downey wrote:

    >> <>OK, was a simple suggestion. (no derogatory tone meant).
    I'm sorry. No intentions to put you down. The suggestions you made are
    very valid.
    And a lot of them were already in place. Please attribute it to being
    none native English

    >> <>I will say
    >> this much. adding each individual host that scans your machine
    >> instantly to your firewall WILL end up killing your machine due to
    >> lookups if this is in place during any large scan or direct port
    >> attacks.
    I also have portsentry in a rather sensitive mode doing exactly the same
    Trigger one of the "backdoor" ports, and you're out of my game.

    >> <>I do think you're being overly concerned about your log entries since
    >> this is *exactly* what the system is *supposed* to do, log the entries
    >> for further use by the admin if needed. There is no signal to noise
    >> reduction gained, since what you consider noise is what the system is
    >> *designed* to do. If you want to reduce the number of entries then
    >> reduce the # of entries it logs (aka when you enable the verbose_limit
    >> count it won't log any more than that number of attempts from a host.
    >> So set it to 2 or even 1 (i would suggest 2 so you only get what
    >> should be considered a bona fide failure) )
    True, and perhaps even more true. BUT since I've now concluded that
    there are script-kiddies trying ssh-breakins at nausium. This logging
    gets a totally different meaning. I don't need to see these specific
    warnings myself anymore, it is a full indication of a host that is no
    longer under his masters control. So instead of writing to see if the
    attacks get any smarter, just deny full access. Blunt but effective.

    Note that this is on a server of one of my customers. And having seen
    the havoc of previously hacked systems of the ISP where I worked, I
    prefer to be a little more safe. The only reason that this would kill my
    machine, is when the list of IP-numbers gets so large that it keeps the
    system from doing anything else any more. But it has not come this far
    yet, Moore's law outpaces this problem by far.

    >> <>If you want to enable firewalling based on that information then
    >> you're going to have to write a custom script to cull the information
    >> from the logfiles or enable some ports NIDs, or 3rd party NIDS to do
    >> this for you. (Such as maybe portsentry and hostsentry for a basic
    >> choice option set)
    I used to run one of such tools, but found those just a little bit too
    inaccurate to actually trust it for this job. Remeber that you do not
    have the time to turn over the logfile at midnight, and then start
    blocking ip-nummbers. It has to be done at first sight of a possible
    attempt to break into the system. But perhaps I'll start runing that again.

    _______________________________________________ mailing list
    To unsubscribe, send any mail to ""

  • Next message: Peter Radcliffe: "Re: Attacks on ssh port"

    Relevant Pages

    • Re: External drives not installing or working properly on USB
      ... Tne one thing you could try doing is a repair install of XP ... Only one of the five host controllers is connected to the 6 ... As you have 5 host ports, ... operating system to recognise the four additional 'drives'. ...
    • Re: [Full-disclosure] Nmap
      ... Nmap has an option to change how it determines if a host is up by ... Using a couple of standard ports are the best, such as 80, 21, etc. ... Information Assurance Certification Review Board ...
    • Re: External drives not installing or working properly on USB
      ... thanks for clarifying the setup of the USB host controllers. ... As you have 5 host ports, ... operating system to recognise the four additional 'drives'. ...
    • Re: Please help with winroute proxy settings
      ... enable logging on the DENY rules so you can analyze what ports are beeing ... > Permit TCP Any host all ports => Any host port=80. ...
    • Re: Netatalk papd problem
      ... > I'm running the latest ports version of netatalk. ... File sharing is working ... logfiles on macs with macosx? ...