Re: Advice on dealing with scripted SSH attacks?

You can also Wrap sshd within xinetd

service ssh
flags = REUSE
socket_type = stream
wait = no
user = root
protocol = tcp
server = /usr/sbin/sshd
server_args = -i
log_type = FILE /var/log/sshdlog
log_on_success = HOST PID DURATION EXIT
log_on_failure = HOST ATTEMPT
disable = no

Shutdown sshd itself and bounce xinetd. then the hosts.allow and/or
hosts.deny work.

On 3/28/06, Joseph Spenner <joseph85750@xxxxxxxxx> wrote:
--- "Zembower, Kevin" <kzembowe@xxxxxxxxxx> wrote:

What's the current advice on dealing with scripts
that repeatedly try to
log onto SSH using a list of common usernames and
'password' for the
password? I get up to 4,000 of these a day from a
single server. In
searching Google on this, I've learned of techniques
using PAM and
firewall rules that are created dynamically in
response to log-in

I've seen systems where an entry is made in
/etc/hosts.allow for sshd: for the offending IP if too
many attempts are detected. But in order for this to
work, your sshd must be compiled with tcp_wrappers
I see this sort of attack a lot, and if the attacking
script hits a tcp wrapped ssh, it will stop
immediately. After a few minutes/hours, the entry can
be removed from hosts.allow (or not).

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around

Relevant Pages

  • Re: why is xinetd not installed by default in FC6?
    ... sshd: 24.124. ... Now in FC6 I notice that xinetd is not installed and so these host ... of course, I can install xinetd, but I'm ... What does xinetd not being installed have to do with ssh checking ...
  • Re: SSH Security
    ... Daemons that use xinetd are protected by hosts.deny and hosts.allow, ... The SSH RPM that ships with RHEL does _NOT_ use xinetd, ... So to secure access to sshd you need to either: ... Use the AllowUsers line in the sshd_config file and restart your sshd ...
  • Re: SSH Security
    ... I will have to recant this because somehow the sshd is using ... > 3) SSH can be compiled/configured to use xinetd ... >> beside SSH. ...
  • Re: ssh with tcp_wrappers!! contd/-
    ... Thanks a lot for such a huge response, of course typing mistake, i was using DenyHost not DenyGhost; as suggested by david and others i did this, ... Login, as root, to my Linux system containing the sshd server. ... i am not willing to compile openssh package is there any way out via rpm installation. ... Then try to ssh to localhost. ...
  • Re: use ipchains to block all ports > 60,000
    ... else going on here except sshd which allows me to log in and monitor the ... Telnet not running but here's the ouput of ssh -V and sshd -V ... OK, ran that from an external box and it showed open ports 22, 80, plus ... My ISP looked for evidence of massive scans emanating from my ip address ...