SSH login attempts

lord_zoo · 11-14-2004, 11:38 AM

That's why I think this could be a honeypot.

Anyway, I don't think a hacker could want to waste his time on something that suspicious.

I don't know.

Matir · 11-14-2004, 12:11 PM

Of course, they could be IP spoofing the IP of a honeypot. Wouldn't that be fun?

Capt_Caveman · 11-14-2004, 04:48 PM

Quote:

Originally posted by Matir
...very suspicious, if you ask me. Or stupid. One of the two.

You have to keep in mind that the attack could be coming from someone compromised by this very same attack. So for someone with a root password of "root", I wouldn't be surprised to see something equally as stupid ... like having basically every service known to man turned on

mardanian · 11-21-2004, 01:30 PM

I thinks changing sshd listening port other then 22 would helps?
protecting from those stupid scanner tries to root every box on earth

emetib · 12-04-2004, 01:20 PM

i haven't read this whole thread, but i'm curious about the hosts.allow.

can you specify a mac address to let through, instead of just an ip?
since i'll be using a laptop to access my server in varying locations.

thanks.

adjman · 12-05-2004, 02:52 AM

Yes, you can indeed specify MAC or Hardware addresses on the firewall for rules :

and would be done something like this

iptables -A INPUT -s any -m mac -mac-source 00:C7:8F:72:14 -j ACCEPT

You need to have compiled mac address matching into your kernel, or loaded the appropriate module.

Please correct me if I'm wrong chaps out there

Capt_Caveman · 12-05-2004, 04:25 AM

The problem with using mac addresses is that the machine connecting has to be on the local network due to the fact that mac addresses aren't remotely transmited (in OSI terminology they're utilized on the link layer not the network layer). So if you were connecting remotely over the internet, you couldn't filter based on the remote systems mac address.

emetib · 12-05-2004, 09:30 AM

thank you for that answer. it's what i needed to know.

IchBin · 12-15-2004, 12:40 AM

So does anyone have a script to automatically add this to iptables?

jymbo · 12-15-2004, 07:33 PM

Portsentry will add the offender to hosts.deny AND add a KILLROUTE. 3 caveats though:

1.) You need to run sshd on a differnet port
2.) You need to configure portsentry to monitor port 22
3.) To prevent your routing table from getting flooded, set-up a cronjob to flush it every 2 days or so

whoisdevnull · 12-20-2004, 06:36 PM

Tried to read through all the posts here but couldn't make it ;-)

Don't know if this has already been posted, but there is some good information in a few places here.

A good summary: http://dev.gentoo.org/~krispykringle/sshnotes.txt

A blacklisting script: http://www.pettingers.org/code/SSHBlack.html

A look at what they do once they get in: http://www.security.org.sg/gtec/hone...diary=20041102

Sorry if these are dupes of other posts, we're six pages in here!

IchBin · 12-20-2004, 09:32 PM

Thanks, that's some great info there.

whoisdevnull · 12-27-2004, 05:55 PM

Here is another one. Haven't looked at it too closely, the script from a few posts above is working fine.

http://linux.newald.de/new_design/login_check.html

-Mike

flipcode · 12-27-2004, 06:29 PM

If you have a static IP you could quite easily block all SSH access via iptables to all but your static IP(s).

IchBin · 12-28-2004, 11:15 PM

well there are a couple of IP's that I would like to give access. Is that possible?