[ale] Pretty Ugly Out There!
Ben Alexander
ben-ale at bensbox.com
Wed Mar 8 09:08:54 EST 2006
Here are three different suggestions -- I got these from a thread that
started a few days ago on *incidents at securityfocus.com:
*DenyHosts is a python script that will drop offending IPs into hosts.deny.
denyhosts.sourceforge.net
----
PermitRootLogin no
AllowUsers <xx> <yy> <zz>
where <xx>, <yy> and <zz> are the users that REALLY require ssh
access,
after checking they do not have a weak user name (like 'john' or 'mary')
and/or a weak password.
----
The rules track ssh new ssh connections. If there have been 5
connections from a single host in the past 60 seconds then the
connection is dropped. Theoretically a worm could wait and attempt
connecting again, but they don't seem to.
iptables -A INPUT -i $EXTERNAL -p tcp --dport 22 -m conntrack --ctstate
NEW -m recent --set --name sshscans
iptables -A INPUT -m recent --rcheck --seconds 60 --hitcount 5 --name
sshscans --rsource -j DROP
----
Ben
**
On 3/8/06, Mills, John M. <Mills.J at ems-t.com> wrote:
>
> ALErs -
>
> I'm currently logging many hundreds - perhaps thousands - of daily
> attempts to get SSH logins on my home box. They come in sequences of
> user names (10-20 typically) from one IP, then a different bunch from
> another. The guessed account names are starting to cycle through searchs
> that might actually hit a real username.
>
> I would like to lock any given originating IP out of access or out of
> SSH login for some period after some number of failures (against
> different usernames). Is there a simple way to do this with or between
> 'ipchains' and 'open-ssh'?
>
> Also, what steps should I take to smoothly migrate a user from one
> username to another? I.e. if I just change the login name in 'passwd',
> shadow' and 'groups', what side effects am I likely to hit?
>
> This box started as RH-7.3, though it's evolved quite a bit with time
> (SSH updates in particular).
>
> Thanks.
>
> - Mills
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Ale
mailing list