Can you lock down your Firewall to only allow a specific range of IP's
to your SSH server? If your SSH users all reside within a certain area
(like in the same general vacinity of your business), maybe you can
pinpoint their ISP's and only allow access from those specific ranges.
Or, identify the users allowed to log in via ssh and have them obtain
their home IP's. Yes, ISP's allocate IP's to their Cable/DSL modems via
DHCP, however its been my experience that once one of these modems (non
diaul-up that is) obtains an IP, it usually retains the same IP. Maybe
you can lock it down and drop all other packets.
Another idea..Change the external IP of the SSH Server and toss in
LABREA or a Honeypot running an SSH Server on the IP currently in
use/under attack. Maybe you can set something up so that this guy will
be occupied with the Honeypot enough to leave your real SSH server
alone. If you can configure your honeypot ssh server with some basic
username and pass and let him crack that. Set it up to log all events
and maybe you can get enough info to catch this guy.
If you do resolve the issue, can you share your procedures with the
community?
Good Luck.
JMB
| -----Original Message-----
| From: Dave [mailto:dlaud.flux@gmail.com]
| Sent: Monday, January 23, 2006 4:41 PM
| To: security-basics@securityfocus.com
| Subject: SSH server under attack...
|
| My SSH server has been under DoS and I cant stop it!!!
|
|
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
