[WBEL-users] SSH Hack/Login attempts

Greg.Lehmann@csiro.au Greg.Lehmann@csiro.au
Mon, 9 Aug 2004 11:42:46 +1000 

And so can tcp wrappers.

> -----Original Message-----
> From: whitebox-users-admin@beau.org 
> [mailto:whitebox-users-admin@beau.org] On Behalf Of Nats
> Sent: Monday, 9 August 2004 10:37 AM
> To: whitebox-users@beau.org
> Subject: Re: [WBEL-users] SSH Hack/Login attempts
> 
> 
> Hmmm... IMOO, if you are always locally present on your 
> machine and you have
> other ppl maintaining your servers remotely, why not filter 
> ip addresses
> that can only SSHd to machines, just allow those legal and known ip
> addresses that has official rights to your servers, iptables 
> can do this
> nicely...
> 
> ----- Original Message ----- 
> From: "David Overholser" <davido@phantomhosting.com>
> To: <whitebox-users@beau.org>
> Sent: Monday, August 09, 2004 1:39 AM
> Subject: [WBEL-users] SSH Hack/Login attempts
> 
> 
> > We use APF firewal along w/Brute Force Detection..both are from
> > www.rfxnetworks.com  they work great.  With the bruteforce 
> detection you
> can
> > set it to however many attempts you want before it will block their
> ip...so
> > if you want it to block anyone after 5 attempts its very 
> easy to be done.
> > There are instructions for both at whiteboxforum.com under
> security....hope
> > this helps.
> >
> > David
> >
> >
> > ----- Original Message ----- 
> > From: <whitebox-users-request@beau.org>
> > To: <whitebox-users@beau.org>
> > Sent: Sunday, August 08, 2004 1:00 PM
> > Subject: Whitebox-users digest, Vol 1 #361 - 3 msgs
> >
> >
> > > Send Whitebox-users mailing list submissions to
> > > whitebox-users@beau.org
> > >
> > > To subscribe or unsubscribe via the World Wide Web, visit
> > > http://beau.org/mailman/listinfo/whitebox-users
> > > or, via email, send a message with subject or body 'help' to
> > > whitebox-users-request@beau.org
> > >
> > > You can reach the person managing the list at
> > > whitebox-users-admin@beau.org
> > >
> > > When replying, please edit your Subject line so it is 
> more specific
> > > than "Re: Contents of Whitebox-users digest..."
> > >
> > >
> > > Today's Topics:
> > >
> > >    1. SSH Hack/Login attempts (Jeff Maze)
> > >    2. Re: SSH Hack/Login attempts (Sudev Barar)
> > >    3. Re: SSH Hack/Login attempts (Johnny Hughes)
> > >
> > > --__--__--
> > >
> > > Message: 1
> > > From: "Jeff Maze" <maillists@crescentdigital.com>
> > > To: <whitebox-users@beau.org>
> > > Date: Sun, 8 Aug 2004 09:39:40 -0400
> > > Subject: [WBEL-users] SSH Hack/Login attempts
> > >
> > > Hello,
> > > I was wondering if there's a way to block some user names/accounts
> > > from attempting to be logged into via SSH.  Lately, over 
> the last week
> or
> > > so, I've seen a lot of login attempts via test, admin, and guest
> accounts.
> > > I have the PermitRootLogin=No in the sshd_conf file but 
> was wondering if
> I
> > > add the above mentioned accounts, they won't even get a 
> password prompt.
> > > Thanks..
> > >
> > > Oh yea, there aren't admin, test, nor guest accounts 
> created on the
> > machine
> > > but they keep trying to use them to login.
> > >
> > >
> > >
> > >
> > > --__--__--
> > >
> > > Message: 2
> > > Subject: Re: [WBEL-users] SSH Hack/Login attempts
> > > From: Sudev Barar <sudev@mantraonline.com>
> > > To: whitebox-users@beau.org
> > > Date: Sun, 08 Aug 2004 20:22:46 +0530
> > >
> > > On Sun, 2004-08-08 at 19:09, Jeff Maze wrote:
> > > > from attempting to be logged into via SSH.  Lately, 
> over the last week
> > or
> > > > so, I've seen a lot of login attempts via test, admin, and guest
> > accounts.
> > > If you look at the origin of all these attempts the whois 
> info points
> > > mostly at some IP's registered in South Korea. Have also seen many
> > > attempts in the last two weeks on guest / test
> > > -- 
> > > Sudev Barar
> > > Learning Linux
> > >
> > >
> > > --__--__--
> > >
> > > Message: 3
> > > Subject: Re: [WBEL-users] SSH Hack/Login attempts
> > > From: Johnny Hughes <mailing-lists@hughesjr.com>
> > > Reply-To: mailing-lists@hughesjr.com
> > > To: WhiteBox Users <whitebox-users@beau.org>
> > > Date: Sun, 08 Aug 2004 10:02:52 -0500
> > >
> > > On Sun, 2004-08-08 at 08:39, Jeff Maze wrote:
> > > > Hello,
> > > > I was wondering if there's a way to block some user 
> names/accounts
> > > > from attempting to be logged into via SSH.  Lately, 
> over the last week
> > or
> > > > so, I've seen a lot of login attempts via test, admin, and guest
> > accounts.
> > > > I have the PermitRootLogin=No in the sshd_conf file but 
> was wondering
> if
> > I
> > > > add the above mentioned accounts, they won't even get a password
> prompt.
> > > > Thanks..
> > > >
> > > > Oh yea, there aren't admin, test, nor guest accounts 
> created on the
> > machine
> > > > but they keep trying to use them to login.
> > > >
> > > This is happening everywhere, here are some references:
> > >
> > > http://thread.gmane.org/gmane.linux.gentoo.security/1466
> > >
> > > http://thread.gmane.org/gmane.comp.security.incidents/4969
> > >
> > > http://thread.gmane.org/gmane.linux.redhat.general/77870
> > >
> > > http://thread.gmane.org/gmane.comp.security.full-disclosure/23716
> > >
> > > http://thread.gmane.org/gmane.user-groups.linux.ilug.general/11030
> > >
> > > http://thread.gmane.org/gmane.comp.security.intrusions/5768
> > >
> > > So it seems to me there was/is a vulnerability in SSH and/or
> > > apache/mod_ssl that was initially exploited by some 
> people, who used a
> > > rootkit that created a usernames of test, admin, guest on 
> the affected
> > > machines ... and there are now scanners looking to use 
> those usernames
> > > to break into machines.
> > >
> > > I verified that all the attempts to login failed in my logs and
> > > installed and ran chkrootkit on all my Internet facing machines.
> > >
> > > chkrootkit can be installed from Dag's site via yum (
> > > http://dag.wieers.com/home-made/apt/FAQ.php#B3 ) or 
> downloaded from
> > > here:
> > >
> > > http://apt.sw.be/redhat/el3/en/i386/RPMS.dag/
> > >
> > > it is named: chkrootkit-0.43-2.rhel3.dag.i386.rpm
> > >
> > > Johnny Hughes
> > > HughesJR.com
> > >
> > >
> > >
> > > --__--__--
> > >
> > > _______________________________________________
> > > Whitebox-users mailing list
> > > Whitebox-users@beau.org
> > > http://beau.org/mailman/listinfo/whitebox-users
> > >
> > >
> > > End of Whitebox-users Digest
> > >
> > >
> >
> > _______________________________________________
> > Whitebox-users mailing list
> > Whitebox-users@beau.org
> > http://beau.org/mailman/listinfo/whitebox-users
> >
> > -- 
> > This message has been scanned for viruses and
> > dangerous content by MailScanner which is
> > installed at www.sscrmnl.edu.ph and believed to be clean.
> > Report abuse from this domain at abuse@sscrmnl.edu.ph
> 
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner which is
> installed at www.sscrmnl.edu.ph and believed to be clean.
> Report abuse from this domain at abuse@sscrmnl.edu.ph
> 
> _______________________________________________
> Whitebox-users mailing list
> Whitebox-users@beau.org
> http://beau.org/mailman/listinfo/whitebox-users
>