[WBEL-users] SSH Hack/Login attempts
David Overholser
David Overholser" <davido@phantomhosting.com
Sun, 8 Aug 2004 13:39:35 -0400
We use APF firewal along w/Brute Force Detection..both are from
www.rfxnetworks.com they work great. With the bruteforce detection you can
set it to however many attempts you want before it will block their ip...so
if you want it to block anyone after 5 attempts its very easy to be done.
There are instructions for both at whiteboxforum.com under security....hope
this helps.
David
----- Original Message -----
From: <whitebox-users-request@beau.org>
To: <whitebox-users@beau.org>
Sent: Sunday, August 08, 2004 1:00 PM
Subject: Whitebox-users digest, Vol 1 #361 - 3 msgs
> Send Whitebox-users mailing list submissions to
> whitebox-users@beau.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://beau.org/mailman/listinfo/whitebox-users
> or, via email, send a message with subject or body 'help' to
> whitebox-users-request@beau.org
>
> You can reach the person managing the list at
> whitebox-users-admin@beau.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Whitebox-users digest..."
>
>
> Today's Topics:
>
> 1. SSH Hack/Login attempts (Jeff Maze)
> 2. Re: SSH Hack/Login attempts (Sudev Barar)
> 3. Re: SSH Hack/Login attempts (Johnny Hughes)
>
> --__--__--
>
> Message: 1
> From: "Jeff Maze" <maillists@crescentdigital.com>
> To: <whitebox-users@beau.org>
> Date: Sun, 8 Aug 2004 09:39:40 -0400
> Subject: [WBEL-users] SSH Hack/Login attempts
>
> Hello,
> I was wondering if there's a way to block some user names/accounts
> from attempting to be logged into via SSH. Lately, over the last week or
> so, I've seen a lot of login attempts via test, admin, and guest accounts.
> I have the PermitRootLogin=No in the sshd_conf file but was wondering if I
> add the above mentioned accounts, they won't even get a password prompt.
> Thanks..
>
> Oh yea, there aren't admin, test, nor guest accounts created on the
machine
> but they keep trying to use them to login.
>
>
>
>
> --__--__--
>
> Message: 2
> Subject: Re: [WBEL-users] SSH Hack/Login attempts
> From: Sudev Barar <sudev@mantraonline.com>
> To: whitebox-users@beau.org
> Date: Sun, 08 Aug 2004 20:22:46 +0530
>
> On Sun, 2004-08-08 at 19:09, Jeff Maze wrote:
> > from attempting to be logged into via SSH. Lately, over the last week
or
> > so, I've seen a lot of login attempts via test, admin, and guest
accounts.
> If you look at the origin of all these attempts the whois info points
> mostly at some IP's registered in South Korea. Have also seen many
> attempts in the last two weeks on guest / test
> --
> Sudev Barar
> Learning Linux
>
>
> --__--__--
>
> Message: 3
> Subject: Re: [WBEL-users] SSH Hack/Login attempts
> From: Johnny Hughes <mailing-lists@hughesjr.com>
> Reply-To: mailing-lists@hughesjr.com
> To: WhiteBox Users <whitebox-users@beau.org>
> Date: Sun, 08 Aug 2004 10:02:52 -0500
>
> On Sun, 2004-08-08 at 08:39, Jeff Maze wrote:
> > Hello,
> > I was wondering if there's a way to block some user names/accounts
> > from attempting to be logged into via SSH. Lately, over the last week
or
> > so, I've seen a lot of login attempts via test, admin, and guest
accounts.
> > I have the PermitRootLogin=No in the sshd_conf file but was wondering if
I
> > add the above mentioned accounts, they won't even get a password prompt.
> > Thanks..
> >
> > Oh yea, there aren't admin, test, nor guest accounts created on the
machine
> > but they keep trying to use them to login.
> >
> This is happening everywhere, here are some references:
>
> http://thread.gmane.org/gmane.linux.gentoo.security/1466
>
> http://thread.gmane.org/gmane.comp.security.incidents/4969
>
> http://thread.gmane.org/gmane.linux.redhat.general/77870
>
> http://thread.gmane.org/gmane.comp.security.full-disclosure/23716
>
> http://thread.gmane.org/gmane.user-groups.linux.ilug.general/11030
>
> http://thread.gmane.org/gmane.comp.security.intrusions/5768
>
> So it seems to me there was/is a vulnerability in SSH and/or
> apache/mod_ssl that was initially exploited by some people, who used a
> rootkit that created a usernames of test, admin, guest on the affected
> machines ... and there are now scanners looking to use those usernames
> to break into machines.
>
> I verified that all the attempts to login failed in my logs and
> installed and ran chkrootkit on all my Internet facing machines.
>
> chkrootkit can be installed from Dag's site via yum (
> http://dag.wieers.com/home-made/apt/FAQ.php#B3 ) or downloaded from
> here:
>
> http://apt.sw.be/redhat/el3/en/i386/RPMS.dag/
>
> it is named: chkrootkit-0.43-2.rhel3.dag.i386.rpm
>
> Johnny Hughes
> HughesJR.com
>
>
>
> --__--__--
>
> _______________________________________________
> Whitebox-users mailing list
> Whitebox-users@beau.org
> http://beau.org/mailman/listinfo/whitebox-users
>
>
> End of Whitebox-users Digest
>
>