FW: [clug] SSH attack

Steve Walsh steve at nerdvana.org.au
Tue Jul 26 01:48:41 GMT 2005


Or, you could set up a small script to parse the log files every hour (or
minute or what ever time frame suits you) and then output the result of
multiple appearances of an IP into the hosts.deny file. Mind you, for this
to work, you need to be running TCP wrappers, but then if a machine is on
the big bad net and not running TCP wrapper ...I don't want to thing about
that.


Steve.
-----Original Message-----
From:
Andrew Pollock
Sent: Tuesday, 26 July 2005 10:12 AM
To: Steve Jenkin
Cc: CLUG List
Subject: Re: [clug] SSH attack


On Mon, Jul 25, 2005 at 11:51:22PM +1000, Steve Jenkin wrote:
> Tonight I noticed lots of inbound network activity to an unused host: I
> mapped SSH through the firewall to it.
>
> First event in log:
> Jun 30 22:58:42 cdr sshd[3536]: Illegal user test from 66.235.160.30
> Jun 30 22:58:45 cdr sshd[3536]: Failed password for illegal user test
> from 66.235.160.30 port 60518 ssh2
>
> Could this explain the compromise someone on the list saw recently.

I use Netfilter to slow these down a bit. The attacks are always impatient,
and that is usually their downfall.

http://blog.andrew.net.au/2005/02/17#ipt_recent_and_ssh_attacks

There can be a bit of collateral damage with these rules and legitimate SSH
connections originating from lossy networks, so judicious use of
whitelisting is advised.

I find this greatly reduces the noise in the logs without needing to filter
it out altogether.

 regards

 Andrew
--
linux mailing list
linux at lists.samba.org
https://lists.samba.org/mailman/listinfo/linux



More information about the linux mailing list