[plug] Attempted Intrusions
bob
bob at fots.org.au
Wed Oct 20 10:33:28 WST 2004
On Wed, 20 Oct 2004 09:44 am, Marc Wiriadisastra wrote:
> Bill Kenworthy wrote:
> > Thats the path you should be going down! People (plural) are trying to
> > actively probe your machine and you are not firewalling them off?
> >
> > BillK
>
> All it is is that I haven't limited the ip's to who can access ssh
> because some times I'm away on business and the only access I have is a
> dialup. How do I get around that or is there not a way around it?
I have been tracking attempts to break into my server as you describe since
July this year and in the hope of understanding whats going on I have found
the following -
This attack is probably coming from a compromised system, part of a bot net.
However there are instances of a more "interactive" attack (ie someone is
sitting there directing things - I had one of these, 600K of dictionary
tried against root - pitty root isn't a valid account to ssh to for my
config :)
You should setup AllowUsers or AllowGroups, depending on the number of users
you wish to allow access via ssh to. EG AllowUsers alice bert carl daisy
(do not have root as a valid user, use su etc )
If possible set PasswordAuthentication to no and only allow
PubkeyAuthentication as an authentication method (difficult for some users
to do but worthwhile if possible)
It goes without saying (but I will anyway :) Keep up to date with patches.
If you want ot get into interactively blocking access there is a perl script
at
http://www.networksecurityarchive.org/html/Secure-Shell/2004-09/txtw5Zz2Zco9J.txt
Seems to show some promise.
HTH.
> Regards
>
> Marc
--
Roses are red;
Violets are blue.
I'm schizophrenic,
And so am I.
More information about the plug
mailing list