[ale] Pretty Ugly Out There!

Mills, John M. Mills.J at ems-t.com
Wed Mar 8 09:49:50 EST 2006 

Ben -
 
Thanks. Looks like three good ideas, all very much to the point. (I was
already disallowing ssh logins by root.)
 
 - John M.

________________________________

From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Ben
To: ale at ale.org
Alexander
Sent: Wednesday, March 08, 2006 9:09 AM
To: Atlanta Linux Enthusiasts
Subject: Re: [ale] Pretty Ugly Out There!


Here are three different suggestions -- I got these from a thread that
started a few days ago on i ncidents at securityfocus.com
<mailto:ncidents at securityfocus.com> :

DenyHosts is a python script that will drop offending IPs into
hosts.deny.

denyhosts.sourceforge.net

----

PermitRootLogin no
AllowUsers <xx> <yy> <zz>

       where <xx>, <yy> and <zz> are the users that REALLY require ssh
access,
after checking they do not have a weak user name (like 'john' or 'mary')
and/or a weak password.

----

The rules track ssh new ssh connections. If there have been 5
connections from a single host in the past 60 seconds then the 
connection is dropped. Theoretically a worm could wait and attempt
connecting again, but they don't seem to.


iptables -A INPUT -i $EXTERNAL -p tcp --dport 22 -m conntrack --ctstate
NEW -m recent --set --name sshscans 
iptables -A INPUT -m recent --rcheck --seconds 60 --hitcount 5 --name
sshscans --rsource -j DROP


----

Ben




On 3/8/06, Mills, John M. <Mills.J at ems-t.com> wrote: 

	ALErs -
	
	I'm currently logging many hundreds - perhaps thousands - of
daily
	attempts to get SSH logins on my home box. They come in
sequences of
	user names (10-20 typically) from one IP, then a different bunch
from 
	another. The guessed account names are starting to cycle through
searchs
	that might actually hit a real username.
	
	I would like to lock any given originating IP out of access or
out of
	SSH login for some period after some number of failures (against

	different usernames). Is there a simple way to do this with or
between
	'ipchains' and 'open-ssh'?
	
	Also, what steps should I take to smoothly migrate a user from
one
	username to another? I.e. if I just change the login name in
'passwd', 
	shadow' and 'groups', what side effects am I likely to hit?
	
	This box started as RH-7.3, though it's evolved quite a bit with
time
	(SSH updates in particular).
	
	Thanks.
	
	- Mills
	
	_______________________________________________ 
	Ale mailing list
	Ale at ale.org
	http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list