[wplug] Any tips against this kind of ssh break-in?

Jeff Smereczniak jeff at plummerslade.com
Fri Jul 15 13:59:40 EDT 2005 

I lurk here often, but never post.  Here's something that I've used
years ago. (PortSentry)  Psionic, the original maintainer was bought by
Cisco a while back, but you can still get the original stuff from
various places.  
I haven't used these in a long time, but I know it could do exactly what
you asked for. 
Check it out:
http://sourceforge.net/projects/sentrytools/ 

I can't vouch for this stuff on the sourceforge site since I never used
it from there, and it appears to be a newer version than I used back
then.  I used to pull it directly from psionic's servers.

LogSentry was nice too, since it could just give me a report of the most
important things from the logs each day.
All of these utilities are/were? highly customizable as well.

Hope this helps.  Let us know if you get it up and running.

Jeff

-----Original Message-----
From: wplug-bounces+jeff=plummerslade.com at wplug.org
[mailto:wplug-bounces+jeff=plummerslade.com at wplug.org] On Behalf Of Russ
Schneider
Sent: Friday, July 15, 2005 7:47 AM
To: WPLUG
Subject: [wplug] Any tips against this kind of ssh break-in?

Occasionally, I get someone trying to break in via ssh, just hammering
away, I'm assuming just trying to guess passwords automatically.

Example: http://www.sugapablo.net/docs/script-02.txt

I have a firewall, ssh is one of the few open ports.  The firewall
(Netgear) does not let me block IP addresses or IP ranges.

I did notice that in sshd_config, root was allowed to login.  I just
turned that off.

Luckily, no one has gotten in with this kind of attempt yet.  But I was
wondering if there were any further measures I could take to make sure
it never happens.

Ideally, I would think there would/should be some kind of measure I
could take where if an IP address made X number of attempts to login and
failed in a Y hour period, that IP address would be blocked from further
login attempts.

Any such thing available/possible?

Any other suggestions to futher tighten things down?  What about other
users in the system like http, mysql, ftp, etc?  I *assume* that since
these users don't have (at least I don't think so) passwords associated
with them and sshd_config will only allow users with passwords to login
that they can't login.  (But I could be wrong.)


-- 
[ Russ Schneider (a.k.a. Sugapablo)
]
[ http://www.sugapablo.net <--personal | http://www.sugapablo.com
<--music   ] 
[ http://www.2ra.org      <--political | http://www.subuse.net
<--discuss ]
_______________________________________________
wplug mailing list
wplug at wplug.org
http://www.wplug.org/mailman/listinfo/wplug

More information about the wplug mailing list