Note: Due to technical difficulties, the Archives are currently not up to date.
GMANE provides an alternative service for most mailing lists. c.f. bug 424647
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.3.2">
</HEAD>
<BODY>
I don't know how applicable this is to this list, but lots of the SSH hacks on my boxes come from China (cn) and Korea (kr). The bad news is a lot of the ISP's are out of control over there and cannot manage their networks. Attached are scripts I generate every night to block all packets from those countries. Depending on your applications, you might (or not) want to run these.<BR>
<BR>
Brian Micek<BR>
<BR>
On Sun, 2005-10-02 at 17:29 -0500, J Holder wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
<FONT COLOR="#000000">MaxieZ said:</FONT>
<FONT COLOR="#000000">> On Mon, Oct 03, 2005 at 10:10:16AM +1300, Jeremy Brake wrote:</FONT>
<FONT COLOR="#000000">>> Hey all,</FONT>
<FONT COLOR="#000000">>></FONT>
<FONT COLOR="#000000">>> I'm looking for an app/script which can monitor for failed ssh logins,</FONT>
<FONT COLOR="#000000">>> and block using IPTables for $time after $number of failed logins (an</FONT>
<FONT COLOR="#000000">>> exclusion list would be handy as well) so that I can put a quick stop to</FONT>
<FONT COLOR="#000000">>> these niggly brute-force ssh "attacks" I seem to be getting more and</FONT>
<FONT COLOR="#000000">>> more often.</FONT>
<FONT COLOR="#000000">></FONT>
<FONT COLOR="#000000">> <A HREF="http://kodu.neti.ee/~risto/sec/">http://kodu.neti.ee/~risto/sec/</A></FONT>
<FONT COLOR="#000000">></FONT>
<FONT COLOR="#000000">> or change ports</FONT>
<FONT COLOR="#000000">Changing ports does a wonderful job of cutting down on spurious connects. </FONT>
<FONT COLOR="#000000">Going one tiny step further, I like to know if anyone has ever connected</FONT>
<FONT COLOR="#000000">to my sshd. So I do the following:</FONT>
<FONT COLOR="#000000">1. Set loglevel for sshd to verbose</FONT>
<FONT COLOR="#000000">2. cron a connect report to run once an hour. This tells me the IP and</FONT>
<FONT COLOR="#000000">reverse IP address of every host to do a full connect. AFAIK, a full</FONT>
<FONT COLOR="#000000">connect would be necessary to see the banner and identify the port as</FONT>
<FONT COLOR="#000000">running sshd.</FONT>
<FONT COLOR="#000000">My connect-report script is as follows:</FONT>
<FONT COLOR="#000000">echo "Remote SSH Connection report for $HOSTNAME"</FONT>
<FONT COLOR="#000000">echo "------------------------------------------"</FONT>
<FONT COLOR="#000000">echo</FONT>
<FONT COLOR="#000000">egrep "Connection from" < /var/log/auth.log | egrep -o</FONT>
<FONT COLOR="#000000">[0-9]+[.][0-9]+[.][0-9]+[.][0-9]+ | sort | uniq | /root/bin/phost</FONT>
<FONT COLOR="#000000">The above script relies on phost; a small helper script (because I</FONT>
<FONT COLOR="#000000">couldn't stand to spend more than 5 minutes trying to figure out which IP</FONT>
<FONT COLOR="#000000">lookups would accept input from stdin):</FONT>
<FONT COLOR="#000000">#!/usr/bin/perl</FONT>
<FONT COLOR="#000000">while (<STDIN>) {</FONT>
<FONT COLOR="#000000"> $output = `host $_`;</FONT>
<FONT COLOR="#000000"> print $output;</FONT>
<FONT COLOR="#000000">}</FONT>
<FONT COLOR="#000000">I have never seen a connect from an IP I didn't expect, and if I ever do,</FONT>
<FONT COLOR="#000000">I can just move sshd to another port if I am feeling excessively paranoid.</FONT>
</PRE>
</BLOCKQUOTE>
</BODY>
</HTML>
|
| Attachment: |
|
signature.asc (This is a digitally signed message part)
|
|
