[clug] SSH attack

Stephen Jenkin sjenkin at canb.auug.org.au
Wed Jul 27 07:04:05 GMT 2005

There are already some pretty good security controls available at the
*individual* level - just not extended globally.  yes - this would be a
nice little project to do some work on...

Thinking over the 'scanning', I've seen a tool that notices attacks and
uses ipchains/iptables to discard *all* packets from the originator.
It needed a file to record IP's & a cronjob to remove them after a time.
Be nice to put a 'hook' into SSH where it would call a script when, like
inetd or login, it noticed too much activity...

Then again, a 'honeypot' script would work nicely too for nominated
accounts. Ie: If 'admin' login is used (without a supplied key), call a
script (that may bar the IP number or run a shell in a 'chroot jail').

Protocol 2 pub key consists of: options, key-type, base64 encoded key, comment.
 + from="pattern-list"
   =>  comma-sep list, (* and ? serve as wild-cards).  pats negated by '!'
 +  command="command"
   => command executed whenever this key is used for authentication.
 + environment="NAME=value"
 + no-port-forwarding
 + no-X11-forwarding
 + no-agent-forwarding
 + no-pty
 + permitopen="host:port"


On Wed, 27 Jul 2005, Robert Edwards wrote:

> Seems to me that neither TCP wrappers, nor a firewall, can provide what
> people really want from a proper SSH access control, namely, to limit
> access by arbitrary combinations of:
>   - username
>   - authentication method (password, keys, pass-phrase etc.)
>   - SSH version (1,2 etc.)
>   - source IP address (whether or not it reverse-DNS resolves properly)
>   - application to be run (in some cases)
>   - number of unsuccessful attempts in past X hours
> OpenSSH is open-source. Anyone up to speed on where the developers of
> OpenSSH are trying to take it in regard to this sort of control?
> Otherwise, why don't we have a hack-fest and fix it! I'm keen to be
> involved.
> Cheers,
> Bob Edwards.

Steve Jenkin, Unix Sys Admin
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA

sjenkin at canb.auug.org.au http://www.tip.net.au/~sjenkin

More information about the linux mailing list