Re: ssh attempts

From: Matt Alexander <lowbassman@xxxxxxxxx>
Date: Sat, 21 Jan 2006 22:51:47 -0700

Another fun addition is port knocking with iptables:

http://www.neep.co.uk/index.php?tab=Projects&menu=Port%20Knocking

Robert Bauer wrote:

Limiting SSH to a particular IP (or set of IP's) isn't always practical.
As for how & where to do the blocking, besides TCPWrappers, don't forget
the excellent iptables firewall you probably already have on your system.
Also, consider changing the port SSH listens on.  This will stop nearly
all of the scripted attacks.  Another valuable technique is to have your
system detect these attacks and dynamically block the source IP
addresses.  Scripts for doing this are pretty easy to find on the net.
Robert Bauer
Snow Enterprises
(336) 623-7772 ext. 307
Leif Ericksen wrote:
Lock down your box a little more... Enable TCPWrappers in the very least. IF they are able to hit your system like that via SSH it is obvious that you are not blocking. This is common. My firewall logs show and have shown attempts to ssh (This is for a personal system) they get stopped at the firewall because they are not coming from the correct IP address(es) Incidentally the ones I see hitting my firewall cam from China, Korea, and Taiwan for the most part, least wise that is what the IP indicated as long as it was not spoofed.
Before I locked down my firewall to IP I would see the rejects because
of Wrappers.
If the system is on the net LOCK IT DOWN.
-- Leif Ericksen On Wed, 2006-01-04 at 11:35 +0100, Emilio Casbas wrote:
I´ve noticed that several Linux Machines I have running are getting scanned via ssh for multiple accounts such as "guest webmaster mysql info shell apache test..." and many others, the log show:

Jan 3 01:31:08 machine sshd2[22087]: WARNING: DNS lookup failed for "X.X.X.233". Jan 3 01:31:10 machine sshd2[22087]: password authentication failed. Login to account webmaster not allowed or account non-existent. Jan 3 01:31:13 machine sshd2[21757]: LoginGraceTime exceeded.

as well there are attempts to connect with root login, with the log message show as:
WARNING: DNS lookup failed for "X.X.X.233".
Jan  3 01:17:53 machine sshd2[21651]: root login denied for user 'root'.
Obviously, We don´t have accounts with that name on our systems, and the root account is disabled for ssh, but I would like to know which software can do this scan type, because while it's running, the machine proccesses grow too much.
Thanks.
Emilio C.
--------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------
--------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- RE: ssh attempts
  - From: Martín Biamonte

References:
- ssh attempts
  - From: Emilio Casbas
- Re: ssh attempts
  - From: Leif Ericksen
- Re: ssh attempts
  - From: Robert Bauer

Prev by Date: Re: question: Linksys 54G WAP - SSID name change issue
Next by Date: Re: Security Policies
Previous by thread: Re: ssh attempts
Next by thread: RE: ssh attempts
Index(es):
- Date
- Thread

Relevant Pages

Re: ssh attempts
... IF they are able to hit your system like that via SSH it is ... > Login to account webmaster not allowed or account non-existent. ... > education and the case study affords you unmatched consulting experience. ... > Computer Emergency Response Teams, ...
(Security-Basics)
RE: ssh attempts
... Change the port to something different than port 22. ... Subject: Re: ssh attempts ... > forget the excellent iptables firewall you probably already have on ... >>> Computer Emergency Response Teams, ...
(Security-Basics)
Re: ssh attempts
... Limiting SSH to a particular IP isn't always practical. ... the excellent iptables firewall you probably already have on your system. ... >> Login to account webmaster not allowed or account non-existent. ... >> Computer Emergency Response Teams, ...
(Security-Basics)
Re: ssh access
... >> I can ssh to the linux box from my home pc, ... >> an account for a friend, ... >> outside my firewall. ... it appears as though how sshd gets started during bootup ...
(comp.os.linux.security)
ssh attempts
... multiple accounts such as "guest webmaster mysql info shell apache test..." ... Login to account webmaster not allowed or account non-existent. ... is disabled for ssh, but I would like to know which software can do this scan type, because ... Computer Emergency Response Teams, and Digital Investigations. ...
(Security-Basics)