[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [Full-Disclosure] Counteroffensive help on bruteforce attacks on SSHD
From: Valdis.Kletnieks () vt ! edu
Date: 2004-10-29 16:51:15
Message-ID: 200410291651.i9TGpFFT007957 () turing-police ! cc ! vt ! edu
[Download RAW message or body]
On Fri, 29 Oct 2004 14:34:21 BST, Andrew Poodle said:
> I'm seeing lots of ssh login attempts with user=root from two or three
> IP addresses, after I blocked access at the firewall based on host.
> Can anyone point me at some good resources where I can bone up and learn
> more about counter-measures.... I'm not looking to take this guy out
> (although would'nt be a bad thing).. But would be interesting to find
> out more.
1) set your firewall up *beforehand* to deny all SSH connects except from
hosts/networks that you need inbound SSH from. If you're never going to SSH
in except from 3 specific machines and one dial-up net, just allow those 3
machines and the /24 or whatever that the dial-up uses.
2) In your sshd_config file, "PermitRootLogin no" and "PermitEmptyPasswords no"
will help security a lot. If you're ambitious, you might consider forcing
the use of RSA keys and "PasswordAuthentication no". Note that this *DOES*
require that the hosts you're ssh'ing in from *also* be secure (because if an
attacker gets the private key on that machine, they just got a login on
your box too...)
3) If you're ambitious, drop the network admin a "Please whack your user who
has a compromised box" (almost *all* of the recent plague of SSH scans have been
from ancient, unsecured, unpatched boxes). Offer void in Korea or anyplace else
that doesn't have a net admin who gives a damn, YMMV, etc.. ;)
4) That should stop the anklebiters. Deterrence measures for more determined
attackers are a separate issue. ;)
[Attachment #3 (application/pgp-signature)]
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic