Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Internet SSH scans

from [Adriano Carvalho] Network Security [Permanent Link]
Subject: RE: Internet SSH scans
Date: Tue, 21 Mar 2006 16:20:46 -0200 
Like me.
When I want to connect to some machine, I must before get in a specific
machine, and after I can connect in all the network.

Many things can be done:

1) No root login
2) Only a specific User (AllowUsers option on sshd_config)
3) Only a specific machine
4) Some script to analyze the logs

At the "specific machine", I change some things:

1) Always use high ports, never default port
2) Hide ssh service. How ? Try SAdoor
(http://packetstormsecurity.org/UNIX/penetration/rootkits/index6.html)


From packetstorm:

"SADoor is a non-listening remote administration tool for Unix systems. It
sets up a listener in non-promiscuous mode for a specific sequence of packets
arriving to the interface before allowing command mode. The commands are sent
Blowfish encoded in the TCP payload and decoded and passed on to system(3)."

Its cool, and good to hide some services...

Regards,
Adriano.

---------- Forwarded Message -----------
From: mrbits@terra.com.br
To: incidents@securityfocus.com
Sent: 3 Mar 2006 09:33:56 -0000
Subject: Re: Re: RE: Internet SSH scans

These SSH scans are generated ( in most of cases ) by Linux Zombie machines,
infected with a kind of worm used to get vulnerable hosts to install a PBSync 
IRC.

I just changed my default SSH port and all attacks had stoped.

Another way is run somethink like DenyHosts, a python-based daemon that scans
logs and put the "attacker ip" into /etc/hosts.deny:

SSHD:10.0.0.1  ( for example ).

CheerS
------- End of Forwarded Message -------


-- 
Adriano Carvalho. 
Desenvolvedor do projeto Honeypot-BR 
www.netnix.com.br
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  SSH Scans, Michel Pereira
Next by Date:  Re: Internet SSH scans, Valdis . Kletnieks
Previous by Thread:  Re: Re: RE: Internet SSH scans, mrbits
Next by Thread:  Re: Internet SSH scans, Valdis . Kletnieks
Indexes:  [Date] [Thread] [Top] [All Lists]