Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: ssh attempts

from [Martín Biamonte] Network Security [Permanent Link]
Subject: RE: ssh attempts
Date: Mon, 30 Jan 2006 11:54:52 -0300 
Change the port to something different than port 22. Configure the
firewall to deny any access to another ports, 
with this you will "deny" port scanning.

Also if you use pf as packet filter you could use a authpf to open and
close ports on the fly.

BTW, has somebody known some free implementation similar to secureID?.

Slte
Mrtn

-----Original Message-----
From: Matt Alexander [mailto:lowbassman@gmail.com] 
Sent: Domingo, 22 de Enero de 2006 02:52 a.m.
To: Robert Bauer
Cc: security-basics@securityfocus.com
Subject: Re: ssh attempts


Another fun addition is port knocking with iptables:

http://www.neep.co.uk/index.php?tab=Projects&menu=Port%20Knocking


Robert Bauer wrote:

Limiting SSH to a particular IP (or set of IP's) isn't always 
practical.

As for how & where to do the blocking, besides TCPWrappers, don't 
forget the excellent iptables firewall you probably already have on 
your system.

Also, consider changing the port SSH listens on.  This will stop 
nearly all of the scripted attacks.  Another valuable technique is to 
have your system detect these attacks and dynamically block the source



IP addresses.  Scripts for doing this are pretty easy to find on the 
net.

Robert Bauer
Snow Enterprises
(336) 623-7772 ext. 307


Leif Ericksen wrote:
  

Lock down your box a little more...  Enable TCPWrappers in the very 
least.  IF they are able to hit your system like that via SSH it is 
obvious that you are not blocking.  This is common.  My firewall logs



show and have shown attempts to ssh (This is for a personal system) 
they get stopped at the firewall because they are not coming from the



correct IP address(es) Incidentally the ones I see hitting my 
firewall cam from China, Korea, and Taiwan for the most part, least 
wise that is what the IP indicated as long as it was not spoofed.

Before I locked down my firewall to IP I would see the rejects 
because of Wrappers.

If the system is on the net LOCK IT DOWN.

--
Leif Ericksen
On Wed, 2006-01-04 at 11:35 +0100, Emilio Casbas wrote:
  
    

I´ve noticed that several Linux Machines I have running are getting
scanned via ssh for
multiple accounts such as "guest webmaster mysql info shell apache 
test..." and many others,
the log show:

Jan  3 01:31:08 machine sshd2[22087]: WARNING: DNS lookup failed for
"X.X.X.233".
Jan  3 01:31:10 machine sshd2[22087]: password authentication

failed. 

Login to account webmaster not allowed or account non-existent.
Jan  3 01:31:13 machine sshd2[21757]: LoginGraceTime exceeded.

as well there are attempts to connect with root login, with the log
message show as:

WARNING: DNS lookup failed for "X.X.X.233".
Jan  3 01:17:53 machine sshd2[21651]: root login denied for user 
'root'.

Obviously, We don´t have accounts with that name on our systems, and



the
root account
is disabled for ssh, but I would like to know which software can do

this 

scan type, because
while it's running, the machine proccesses grow too much.

Thanks.
Emilio C.


--------------------------------------------------------------------
-------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec

management 

education and the case study affords you unmatched consulting

experience. 

Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity

Planning, 

Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
--------------------------------------------------------------------
--------

    
      



----------------------------------------------------------------------
-----
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting

experience. 

Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity

Planning, 

Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------
------


  




---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  CISSP ISSAP concentration preparation, Voodoo Geek
Next by Date:  Fw: Nmap 4.00 Released! (ARP scanning), Michael Painter
Previous by Thread:  Re: ssh attempts, Matt Alexander
Next by Thread:  Re: Trojan found on Linux server, [at]
Indexes:  [Date] [Thread] [Top] [All Lists]