Network Security: Detailed info on Re: Advice on dealing with scripted SSH attacks?

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Secure-Shell

[Top] [All Lists]

Re: Advice on dealing with scripted SSH attacks?

from [Joseph Spenner] Network Security

[Permanent Link]

Subject:	Re: Advice on dealing with scripted SSH attacks?
Date:	Tue, 28 Mar 2006 15:30:45 -0800 (PST)

--- "Zembower, Kevin" <kzembowe@jhuccp.org> wrote:

What's the current advice on dealing with scripts
that repeatedly try to
log onto SSH using a list of common usernames and
'password' for the
password? I get up to 4,000 of these a day from a
single server. In
searching Google on this, I've learned of techniques
using PAM and
firewall rules that are created dynamically in
response to log-in
attempts.


I've seen systems where an entry is made in
/etc/hosts.allow for sshd: for the offending IP if too
many attempts are detected.  But in order for this to
work, your sshd must be compiled with tcp_wrappers
support.
I see this sort of attack a lot, and if the attacking
script hits a tcp wrapped ssh, it will stop
immediately.  After a few minutes/hours, the entry can
be removed from hosts.allow (or not).



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

[More messages with this same subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Advice on dealing with scripted SSH attacks?, Zembower, Kevin RE: Advice on dealing with scripted SSH attacks?, Tevfik Karagülle RE: Advice on dealing with scripted SSH attacks?, Stowe, Will Re: Advice on dealing with scripted SSH attacks?, Martin Schröder Re: Advice on dealing with scripted SSH attacks?, Joseph Spenner <= Re: Advice on dealing with scripted SSH attacks?, Matt P Re: Advice on dealing with scripted SSH attacks?, Jeff Rosowski Re: Advice on dealing with scripted SSH attacks?, Daniel Cid RE: Advice on dealing with scripted SSH attacks?, Thompson Seren

Previous by Date:	Re: premature large file transfer termination, Derek Martin
Next by Date:	Re: Advice on dealing with scripted SSH attacks?, Daniel Cid
Previous by Thread:	Re: Advice on dealing with scripted SSH attacks?, Martin Schröder
Next by Thread:	Re: Advice on dealing with scripted SSH attacks?, Matt P
Indexes:	[Date] [Thread] [Top] [All Lists]