Re: Advice on dealing with scripted SSH attacks?

From: "Matt P" <slarty.tj@xxxxxxxxx>
Date: Wed, 29 Mar 2006 23:45:05 -0600

You can also Wrap sshd within xinetd

service ssh
{
flags = REUSE
socket_type = stream
wait = no
user = root
protocol = tcp
server = /usr/sbin/sshd
server_args = -i
log_type = FILE /var/log/sshdlog
log_on_success = HOST PID DURATION EXIT
log_on_failure = HOST ATTEMPT
disable = no
}

Shutdown sshd itself and bounce xinetd. then the hosts.allow and/or
hosts.deny work.

On 3/28/06, Joseph Spenner <joseph85750@xxxxxxxxx> wrote:

--- "Zembower, Kevin" <kzembowe@xxxxxxxxxx> wrote:

What's the current advice on dealing with scripts
that repeatedly try to
log onto SSH using a list of common usernames and
'password' for the
password? I get up to 4,000 of these a day from a
single server. In
searching Google on this, I've learned of techniques
using PAM and
firewall rules that are created dynamically in
response to log-in
attempts.

I've seen systems where an entry is made in
/etc/hosts.allow for sshd: for the offending IP if too
many attempts are detected. But in order for this to
work, your sshd must be compiled with tcp_wrappers
support.
I see this sort of attack a lot, and if the attacking
script hits a tcp wrapped ssh, it will stop
immediately. After a few minutes/hours, the entry can
be removed from hosts.allow (or not).

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

Follow-Ups:
- Re: Advice on dealing with scripted SSH attacks?
  - From: Jeff Rosowski

References:
- Advice on dealing with scripted SSH attacks?
  - From: Zembower, Kevin
- Re: Advice on dealing with scripted SSH attacks?
  - From: Joseph Spenner

Prev by Date: who command on solaris 2.8
Next by Date: Re: Advice on dealing with scripted SSH attacks?
Previous by thread: Re: Advice on dealing with scripted SSH attacks?
Next by thread: Re: Advice on dealing with scripted SSH attacks?
Index(es):
- Date
- Thread

Relevant Pages

Re: why is xinetd not installed by default in FC6?
... sshd: 24.124. ... Now in FC6 I notice that xinetd is not installed and so these host ... of course, I can install xinetd, but I'm ... What does xinetd not being installed have to do with ssh checking ...
(Fedora)
Re: SSH Security
... Daemons that use xinetd are protected by hosts.deny and hosts.allow, ... The SSH RPM that ships with RHEL does _NOT_ use xinetd, ... So to secure access to sshd you need to either: ... Use the AllowUsers line in the sshd_config file and restart your sshd ...
(RedHat)
Re: SSH Security
... I will have to recant this because somehow the sshd is using ... > 3) SSH can be compiled/configured to use xinetd ... >> beside SSH. ...
(RedHat)
Re: ssh with tcp_wrappers!! contd/-
... Thanks a lot for such a huge response, of course typing mistake, i was using DenyHost not DenyGhost; as suggested by david and others i did this, ... Login, as root, to my Linux system containing the sshd server. ... i am not willing to compile openssh package is there any way out via rpm installation. ... Then try to ssh to localhost. ...
(RedHat)
Re: use ipchains to block all ports > 60,000
... else going on here except sshd which allows me to log in and monitor the ... Telnet not running but here's the ouput of ssh -V and sshd -V ... OK, ran that from an external box and it showed open ports 22, 80, plus ... My ISP looked for evidence of massive scans emanating from my ip address ...
(comp.os.linux.security)