Re: Advice on dealing with scripted SSH attacks?



You can also Wrap sshd within xinetd

service ssh
{
flags = REUSE
socket_type = stream
wait = no
user = root
protocol = tcp
server = /usr/sbin/sshd
server_args = -i
log_type = FILE /var/log/sshdlog
log_on_success = HOST PID DURATION EXIT
log_on_failure = HOST ATTEMPT
disable = no
}

Shutdown sshd itself and bounce xinetd. then the hosts.allow and/or
hosts.deny work.

On 3/28/06, Joseph Spenner <joseph85750@xxxxxxxxx> wrote:
--- "Zembower, Kevin" <kzembowe@xxxxxxxxxx> wrote:

What's the current advice on dealing with scripts
that repeatedly try to
log onto SSH using a list of common usernames and
'password' for the
password? I get up to 4,000 of these a day from a
single server. In
searching Google on this, I've learned of techniques
using PAM and
firewall rules that are created dynamically in
response to log-in
attempts.


I've seen systems where an entry is made in
/etc/hosts.allow for sshd: for the offending IP if too
many attempts are detected. But in order for this to
work, your sshd must be compiled with tcp_wrappers
support.
I see this sort of attack a lot, and if the attacking
script hits a tcp wrapped ssh, it will stop
immediately. After a few minutes/hours, the entry can
be removed from hosts.allow (or not).



__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com