[wplug] Any tips against this kind of ssh break-in?
Jeff Smereczniak
jeff at plummerslade.com
Fri Jul 15 13:59:40 EDT 2005
I lurk here often, but never post. Here's something that I've used
years ago. (PortSentry) Psionic, the original maintainer was bought by
Cisco a while back, but you can still get the original stuff from
various places.
I haven't used these in a long time, but I know it could do exactly what
you asked for.
Check it out:
http://sourceforge.net/projects/sentrytools/
I can't vouch for this stuff on the sourceforge site since I never used
it from there, and it appears to be a newer version than I used back
then. I used to pull it directly from psionic's servers.
LogSentry was nice too, since it could just give me a report of the most
important things from the logs each day.
All of these utilities are/were? highly customizable as well.
Hope this helps. Let us know if you get it up and running.
Jeff
-----Original Message-----
From: wplug-bounces+jeff=plummerslade.com at wplug.org
[mailto:wplug-bounces+jeff=plummerslade.com at wplug.org] On Behalf Of Russ
Schneider
Sent: Friday, July 15, 2005 7:47 AM
To: WPLUG
Subject: [wplug] Any tips against this kind of ssh break-in?
Occasionally, I get someone trying to break in via ssh, just hammering
away, I'm assuming just trying to guess passwords automatically.
Example: http://www.sugapablo.net/docs/script-02.txt
I have a firewall, ssh is one of the few open ports. The firewall
(Netgear) does not let me block IP addresses or IP ranges.
I did notice that in sshd_config, root was allowed to login. I just
turned that off.
Luckily, no one has gotten in with this kind of attempt yet. But I was
wondering if there were any further measures I could take to make sure
it never happens.
Ideally, I would think there would/should be some kind of measure I
could take where if an IP address made X number of attempts to login and
failed in a Y hour period, that IP address would be blocked from further
login attempts.
Any such thing available/possible?
Any other suggestions to futher tighten things down? What about other
users in the system like http, mysql, ftp, etc? I *assume* that since
these users don't have (at least I don't think so) passwords associated
with them and sshd_config will only allow users with passwords to login
that they can't login. (But I could be wrong.)
--
[ Russ Schneider (a.k.a. Sugapablo)
]
[ http://www.sugapablo.net <--personal | http://www.sugapablo.com
<--music ]
[ http://www.2ra.org <--political | http://www.subuse.net
<--discuss ]
_______________________________________________
wplug mailing list
wplug at wplug.org
http://www.wplug.org/mailman/listinfo/wplug
More information about the wplug
mailing list