[WBEL-users] SSH Hack/Login attempts
Nats
nats@sscrmnl.edu.ph
Mon, 9 Aug 2004 08:37:09 +0800
Hmmm... IMOO, if you are always locally present on your machine and you have
other ppl maintaining your servers remotely, why not filter ip addresses
that can only SSHd to machines, just allow those legal and known ip
addresses that has official rights to your servers, iptables can do this
nicely...
----- Original Message -----
From: "David Overholser" <davido@phantomhosting.com>
To: <whitebox-users@beau.org>
Sent: Monday, August 09, 2004 1:39 AM
Subject: [WBEL-users] SSH Hack/Login attempts
> We use APF firewal along w/Brute Force Detection..both are from
> www.rfxnetworks.com they work great. With the bruteforce detection you
can
> set it to however many attempts you want before it will block their
ip...so
> if you want it to block anyone after 5 attempts its very easy to be done.
> There are instructions for both at whiteboxforum.com under
security....hope
> this helps.
>
> David
>
>
> ----- Original Message -----
> From: <whitebox-users-request@beau.org>
> To: <whitebox-users@beau.org>
> Sent: Sunday, August 08, 2004 1:00 PM
> Subject: Whitebox-users digest, Vol 1 #361 - 3 msgs
>
>
> > Send Whitebox-users mailing list submissions to
> > whitebox-users@beau.org
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > http://beau.org/mailman/listinfo/whitebox-users
> > or, via email, send a message with subject or body 'help' to
> > whitebox-users-request@beau.org
> >
> > You can reach the person managing the list at
> > whitebox-users-admin@beau.org
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Whitebox-users digest..."
> >
> >
> > Today's Topics:
> >
> > 1. SSH Hack/Login attempts (Jeff Maze)
> > 2. Re: SSH Hack/Login attempts (Sudev Barar)
> > 3. Re: SSH Hack/Login attempts (Johnny Hughes)
> >
> > --__--__--
> >
> > Message: 1
> > From: "Jeff Maze" <maillists@crescentdigital.com>
> > To: <whitebox-users@beau.org>
> > Date: Sun, 8 Aug 2004 09:39:40 -0400
> > Subject: [WBEL-users] SSH Hack/Login attempts
> >
> > Hello,
> > I was wondering if there's a way to block some user names/accounts
> > from attempting to be logged into via SSH. Lately, over the last week
or
> > so, I've seen a lot of login attempts via test, admin, and guest
accounts.
> > I have the PermitRootLogin=No in the sshd_conf file but was wondering if
I
> > add the above mentioned accounts, they won't even get a password prompt.
> > Thanks..
> >
> > Oh yea, there aren't admin, test, nor guest accounts created on the
> machine
> > but they keep trying to use them to login.
> >
> >
> >
> >
> > --__--__--
> >
> > Message: 2
> > Subject: Re: [WBEL-users] SSH Hack/Login attempts
> > From: Sudev Barar <sudev@mantraonline.com>
> > To: whitebox-users@beau.org
> > Date: Sun, 08 Aug 2004 20:22:46 +0530
> >
> > On Sun, 2004-08-08 at 19:09, Jeff Maze wrote:
> > > from attempting to be logged into via SSH. Lately, over the last week
> or
> > > so, I've seen a lot of login attempts via test, admin, and guest
> accounts.
> > If you look at the origin of all these attempts the whois info points
> > mostly at some IP's registered in South Korea. Have also seen many
> > attempts in the last two weeks on guest / test
> > --
> > Sudev Barar
> > Learning Linux
> >
> >
> > --__--__--
> >
> > Message: 3
> > Subject: Re: [WBEL-users] SSH Hack/Login attempts
> > From: Johnny Hughes <mailing-lists@hughesjr.com>
> > Reply-To: mailing-lists@hughesjr.com
> > To: WhiteBox Users <whitebox-users@beau.org>
> > Date: Sun, 08 Aug 2004 10:02:52 -0500
> >
> > On Sun, 2004-08-08 at 08:39, Jeff Maze wrote:
> > > Hello,
> > > I was wondering if there's a way to block some user names/accounts
> > > from attempting to be logged into via SSH. Lately, over the last week
> or
> > > so, I've seen a lot of login attempts via test, admin, and guest
> accounts.
> > > I have the PermitRootLogin=No in the sshd_conf file but was wondering
if
> I
> > > add the above mentioned accounts, they won't even get a password
prompt.
> > > Thanks..
> > >
> > > Oh yea, there aren't admin, test, nor guest accounts created on the
> machine
> > > but they keep trying to use them to login.
> > >
> > This is happening everywhere, here are some references:
> >
> > http://thread.gmane.org/gmane.linux.gentoo.security/1466
> >
> > http://thread.gmane.org/gmane.comp.security.incidents/4969
> >
> > http://thread.gmane.org/gmane.linux.redhat.general/77870
> >
> > http://thread.gmane.org/gmane.comp.security.full-disclosure/23716
> >
> > http://thread.gmane.org/gmane.user-groups.linux.ilug.general/11030
> >
> > http://thread.gmane.org/gmane.comp.security.intrusions/5768
> >
> > So it seems to me there was/is a vulnerability in SSH and/or
> > apache/mod_ssl that was initially exploited by some people, who used a
> > rootkit that created a usernames of test, admin, guest on the affected
> > machines ... and there are now scanners looking to use those usernames
> > to break into machines.
> >
> > I verified that all the attempts to login failed in my logs and
> > installed and ran chkrootkit on all my Internet facing machines.
> >
> > chkrootkit can be installed from Dag's site via yum (
> > http://dag.wieers.com/home-made/apt/FAQ.php#B3 ) or downloaded from
> > here:
> >
> > http://apt.sw.be/redhat/el3/en/i386/RPMS.dag/
> >
> > it is named: chkrootkit-0.43-2.rhel3.dag.i386.rpm
> >
> > Johnny Hughes
> > HughesJR.com
> >
> >
> >
> > --__--__--
> >
> > _______________________________________________
> > Whitebox-users mailing list
> > Whitebox-users@beau.org
> > http://beau.org/mailman/listinfo/whitebox-users
> >
> >
> > End of Whitebox-users Digest
> >
> >
>
> _______________________________________________
> Whitebox-users mailing list
> Whitebox-users@beau.org
> http://beau.org/mailman/listinfo/whitebox-users
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner which is
> installed at www.sscrmnl.edu.ph and believed to be clean.
> Report abuse from this domain at abuse@sscrmnl.edu.ph
--
This message has been scanned for viruses and
dangerous content by MailScanner which is
installed at www.sscrmnl.edu.ph and believed to be clean.
Report abuse from this domain at abuse@sscrmnl.edu.ph