Re: SSH Attacks - What to do?

[Sean Jewett <sean@rimboy.com>]

On Wed, 27 Jul 2005, Tim McDonough wrote:

> In reviewing the logs on my Linux server I see that for today and much 
> of yesterday someone has a machine set up that's trying to log in 
> every few seconds via SSH. They have had no success so far. Here's a 
> snippet of the message log, the file is huge with these things. (The 
> last two entries are me doing legitimate work.)

> Is there any way to stop this? Do I just depend on password security 
> or are there other tools I can readily apply to help?

Yes, use tcp wrappers.  /etc/hosts.allow and /etc/hosts.deny.  This should 
be step one in the process of securing any linux system.  

In /etc/hosts.deny put

ALL:	ALL

in /etc/hosts.allow put in the services and IP addresses of systems you 
want to allow in.  While this puts you in a bind with dynamic addresses, 
there are some tricks to get around it (ie, if your dynamic on a subnet 
you trust you can wrap in the subnet).  

ie, if you want to access all services from a particular system:

ALL:	x.x.x.x

If you want to wrap certain services check the service name in 
/etc/services.  

Sean...


--
The punk rock will get you if the government don't get you first.
	--Old 97's
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
KG4NRC  http://www.rimboy.com  Your source for the crap you know you need.


-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.