[plug] Attempted Intrusions

bob bob at fots.org.au
Wed Oct 20 10:33:28 WST 2004


On Wed, 20 Oct 2004 09:44 am, Marc Wiriadisastra wrote:
> Bill Kenworthy wrote:
> > Thats the path you should be going down!  People (plural) are trying to
> > actively probe your machine and you are not firewalling them off?
> >
> > BillK
>
> All it is is that I haven't limited the ip's to who can access ssh
> because some times I'm away on business and the only access I have is a
> dialup.  How do I get around that or is there not a way around it?

I have been tracking attempts to break into my server as you describe since 
July this year and in the hope of understanding whats going on I have found 
the following -

This attack is probably coming from a compromised system, part of a bot net. 
However there are instances of a more "interactive" attack (ie someone is 
sitting there directing things - I had one of these, 600K of dictionary 
tried against root - pitty root isn't a valid account to ssh to for my 
config :) 

You should setup AllowUsers or AllowGroups, depending on the number of users 
you wish to allow access via ssh to. EG AllowUsers alice bert carl daisy 
(do not have root as a valid user, use su etc )

If possible set PasswordAuthentication to no and only allow 
PubkeyAuthentication as an authentication method (difficult for some users 
to do but worthwhile if possible)

It goes without saying (but I will anyway :) Keep up to date with patches.

If you want ot get into interactively blocking access there is a perl script 
at
http://www.networksecurityarchive.org/html/Secure-Shell/2004-09/txtw5Zz2Zco9J.txt

Seems to show some promise.

HTH.

> Regards
>
> Marc



-- 
Roses are red;
	Violets are blue.
I'm schizophrenic,
	And so am I.



More information about the plug mailing list