[ale] Pretty Ugly Out There!

Steven A. DuChene linux-clusters at mindspring.com
Wed Mar 8 14:17:45 EST 2006


I have found sshfilter to do a VERY good job of stoping these ssh attempts
on my systems. It places rules into your firewall rules dynamically based
on common criteria that matches almost all (like 99.9%) of these ssh hack
attempts. After some tune-able period of time the added rules are expired
as well.

http://www.csc.liv.ac.uk/~greg/sshdfilter/

-----Original Message-----
>From: Ben Alexander <ben-ale at bensbox.com>
>Sent: Mar 8, 2006 7:08 AM
>To: Atlanta Linux Enthusiasts <ale at ale.org>
>Subject: Re: [ale] Pretty Ugly Out There!
>
>Here are three different suggestions -- I got these from a thread that
>started a few days ago on *incidents at securityfocus.com:
>
>*DenyHosts is a python script that will drop offending IPs into hosts.deny.
>
>denyhosts.sourceforge.net
>
>----
>
>PermitRootLogin no
>AllowUsers <xx> <yy> <zz>
>
>       where <xx>, <yy> and <zz> are the users that REALLY require ssh
>access,
>after checking they do not have a weak user name (like 'john' or 'mary')
>and/or a weak password.
>
>----
>
>The rules track ssh new ssh connections. If there have been 5
>connections from a single host in the past 60 seconds then the
>connection is dropped. Theoretically a worm could wait and attempt
>connecting again, but they don't seem to.
>
>
>iptables -A INPUT -i $EXTERNAL -p tcp --dport 22 -m conntrack --ctstate
>NEW -m recent --set --name sshscans
>iptables -A INPUT -m recent --rcheck --seconds 60 --hitcount 5 --name
>sshscans --rsource -j DROP
>
>
>----
>
>Ben
>
>
>**
>On 3/8/06, Mills, John M. <Mills.J at ems-t.com> wrote:
>>
>> ALErs -
>>
>> I'm currently logging many hundreds - perhaps thousands - of daily
>> attempts to get SSH logins on my home box. They come in sequences of
>> user names (10-20 typically) from one IP, then a different bunch from
>> another. The guessed account names are starting to cycle through searchs
>> that might actually hit a real username.
>>
>> I would like to lock any given originating IP out of access or out of
>> SSH login for some period after some number of failures (against
>> different usernames). Is there a simple way to do this with or between
>> 'ipchains' and 'open-ssh'?
>>
>> Also, what steps should I take to smoothly migrate a user from one
>> username to another? I.e. if I just change the login name in 'passwd',
>> shadow' and 'groups', what side effects am I likely to hit?
>>
>> This box started as RH-7.3, though it's evolved quite a bit with time
>> (SSH updates in particular).
>>
>> Thanks.
>>
>> - Mills
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://www.ale.org/mailman/listinfo/ale
>>




More information about the Ale mailing list