[wplug] Any tips against this kind of ssh break-in?

Shawn Maceno smaceno at Accessdc.com
Fri Jul 15 08:10:56 EDT 2005


Russ,

I've configured sshd on a couple of servers to run with xinetd, and in
the configuration for the service you can specify what IP addresses can
make connections.  Not sure about your suggestion of locking out after
so many failed attempts, but here's an example of my sshd config.  This
file is /etc/xinetd.d/sshd.  The only_from entry is a space separated
lists of IP addresses, or ranges.

service ssh
{
        protocol        = tcp
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/sbin/sshd
        port            = 22
        server_args     = -i
        instances       = 30
        only_from       = 127.0.0.1
        log_on_failure   = ATTEMPT HOST USERID
}


Hope this helps!

Shawn Maceno

On Fri, 2005-07-15 at 07:46 -0400, Russ Schneider wrote:

> Occasionally, I get someone trying to break in via ssh, just hammering 
> away, I'm assuming just trying to guess passwords automatically.
> 
> Example: http://www.sugapablo.net/docs/script-02.txt
> 
> I have a firewall, ssh is one of the few open ports.  The firewall 
> (Netgear) does not let me block IP addresses or IP ranges.
> 
> I did notice that in sshd_config, root was allowed to login.  I just
> turned that off.
> 
> Luckily, no one has gotten in with this kind of attempt yet.  But I was 
> wondering if there were any further measures I could take to make sure it 
> never happens.
> 
> Ideally, I would think there would/should be some kind of measure I could
> take where if an IP address made X number of attempts to login and failed
> in a Y hour period, that IP address would be blocked from further login
> attempts.
> 
> Any such thing available/possible?
> 
> Any other suggestions to futher tighten things down?  What about other 
> users in the system like http, mysql, ftp, etc?  I *assume* that since 
> these users don't have (at least I don't think so) passwords associated 
> with them and sshd_config will only allow users with passwords to login 
> that they can't login.  (But I could be wrong.)
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wplug.org/pipermail/wplug/attachments/20050715/b5cd881c/attachment.html


More information about the wplug mailing list