[clug] SSH attack
Stephen Jenkin
sjenkin at canb.auug.org.au
Wed Jul 27 07:04:05 GMT 2005
There are already some pretty good security controls available at the
*individual* level - just not extended globally. yes - this would be a
nice little project to do some work on...
Thinking over the 'scanning', I've seen a tool that notices attacks and
uses ipchains/iptables to discard *all* packets from the originator.
It needed a file to record IP's & a cronjob to remove them after a time.
Be nice to put a 'hook' into SSH where it would call a script when, like
inetd or login, it noticed too much activity...
Then again, a 'honeypot' script would work nicely too for nominated
accounts. Ie: If 'admin' login is used (without a supplied key), call a
script (that may bar the IP number or run a shell in a 'chroot jail').
>From "man sshd", "AUTHORIZED_KEYS FILE FORMAT":
Protocol 2 pub key consists of: options, key-type, base64 encoded key, comment.
Options:
+ from="pattern-list"
=> comma-sep list, (* and ? serve as wild-cards). pats negated by '!'
+ command="command"
=> command executed whenever this key is used for authentication.
+ environment="NAME=value"
+ no-port-forwarding
+ no-X11-forwarding
+ no-agent-forwarding
+ no-pty
+ permitopen="host:port"
cheers
sj
On Wed, 27 Jul 2005, Robert Edwards wrote:
>
> Seems to me that neither TCP wrappers, nor a firewall, can provide what
> people really want from a proper SSH access control, namely, to limit
> access by arbitrary combinations of:
> - username
> - authentication method (password, keys, pass-phrase etc.)
> - SSH version (1,2 etc.)
> - source IP address (whether or not it reverse-DNS resolves properly)
> - application to be run (in some cases)
> - number of unsuccessful attempts in past X hours
>
> OpenSSH is open-source. Anyone up to speed on where the developers of
> OpenSSH are trying to take it in regard to this sort of control?
> Otherwise, why don't we have a hack-fest and fix it! I'm keen to be
> involved.
>
> Cheers,
>
> Bob Edwards.
>
>
Steve Jenkin, Unix Sys Admin
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA
sjenkin at canb.auug.org.au http://www.tip.net.au/~sjenkin
More information about the linux
mailing list