Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Analyzing Malicious SSH Login Attempts
Christian Seifert

Comments Mode:
Analyzing malicious SSH login attempts 2006-09-12
Anonymous
a mention and short walkthrough of the port knocking package would've been a nice addition to this article. I once installed the port knocking package, but couldn't figure out how to perform the actual "knock". Working through the configuration file was simple enough because it was sufficiently co...

[ more ]  [ reply ]
Analyzing malicious SSH login attempts 2006-09-12
Peter N. M. Hansteen (2 replies)
A nice article overall, but at least some firewalls offer some flexibility with respect to dynamically blocking traffic from hosts which behave in some undesirable fashion. OpenBSD's PF has 'overload' rules for this and similar purposes.

I have included an example of this with some discussion ...

[ more ]  [ reply ]
Re: Analyzing malicious SSH login attempts 2006-09-19
scolsuckz
This kind of attack can easily block in PF automagically. Thanks to the openbsd community and peter hansteen in such a great article.

-PH, Manila...

[ more ]  [ reply ]
Re: Analyzing malicious SSH login attempts 2006-11-26
Anonymous
Cool links don't change, I know, unless it can't be helped. The tutorial now lives at http://home.nuug.no/~peter/pf/. Sorry for any inconvenience....

[ more ]  [ reply ]
Analyzing malicious SSH login attempts 2006-09-12
Henry Escobar
Great article!

One 'trick' that I implement on my own hosts is using the following daemon:

http://denyhosts.sourceforge.net/

It processes the system syslog files, and modifies /etc/hosts.deny on the fly to block abusive IP addresses....

[ more ]  [ reply ]
Analyzing malicious SSH login attempts 2006-09-13
Anonymous
This really isn't anything new at all. These types of attacks and their subsequent analysis have been around for quite awhile. We didn't learn anything new from this honeypot research. This is just the standard scan, crack, and bot attack that happens all the time....

[ more ]  [ reply ]
Analyzing malicious SSH login attempts 2006-09-15
Ron Jennings
Job well done. Thanks for the info....

[ more ]  [ reply ]
Analyzing malicious SSH login attempts 2006-09-16
Anonymous
Another defence is to restrict logins from the same IP to X unsuccessful attempts per Y days (I use 3 for both).

http://www.csc.liv.ac.uk/~greg/sshdfilter/ is one such tool....

[ more ]  [ reply ]
Analyzing malicious SSH login attempts 2006-09-19
Alex LaHurreau
The DenyHosts "trick" is quite useful, and the distributed attacks database makes it even more useful with each new user. Quite a nifty piece of software....

[ more ]  [ reply ]
Analyzing malicious SSH login attempts 2006-09-26
Russ (1 replies)
A useful tool for detecting and blocking SSH login attacks, which also shares data in a centralised DB so you can pre-emptively block IPs that have attacked other systems: http://denyhosts.sourceforge.net/

Also, a source of stats that may be helpful in analysing probabilities of success: the Linu...

[ more ]  [ reply ]
Re: Analyzing malicious SSH login attempts 2006-10-26
Anonymous
Several tools exist to block ssh attempts via updating yours hosts or iptables/ipfw rules. These are all postpurtom. Linux netfilter has the recent module which allows realtime blackholing. Also using passphrases, deny Root ssh or atleast without-password and allowing wheel group su or limited sudo...

[ more ]  [ reply ]
Analyzing Malicious SSH Login Attempts 2006-11-06
Anonymous (1 replies)
This has been an annoyance for me for quite a while.

My home firewall host has the following rules added to the iptables ruleset to discourage such attacks:

-A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --rcheck --seconds 180 --name sshrecent --rsource -j DROP

-A ...

[ more ]  [ reply ]
Re: Analyzing Malicious SSH Login Attempts 2007-01-16
Anonymous (1 replies)
what if they spoof there ips :) then they wont wait 180 seconds ...

[ more ]  [ reply ]
Re: Re: Analyzing Malicious SSH Login Attempts 2007-10-17
Anonymous
Go learn TCP you clown. Spoofing your IP on an ssh connection is going to be completely useless over the internet........

[ more ]  [ reply ]
Analyzing Malicious SSH Login Attempts 2008-03-31
Anonymous (1 replies)
use the timelox patch for ssh......

[ more ]  [ reply ]
Re: Analyzing Malicious SSH Login Attempts 2008-05-04
zulu
Use of one time passwords for public facing SSH can greatly enhance security as well.

"man opiekey" ...

[ more ]  [ reply ]
Analyzing Malicious SSH Login Attempts 2008-05-30
Anonymous
Great article. I enjoyed reading it. I'll have to try a honeypot, just for yucks :)

For prevention, I'd add a few things, which should ALWAYS be done on your firewall:

1. ALWAYS the first thing is to disable root login via ssh.

2. You should at least add port knocking. It is incredibly...

[ more ]  [ reply ]
Analyzing Malicious SSH Login Attempts 2008-09-24
cskaryd
http://www.aczoom.com/cms/blockhosts is another great tool for automatically blocking malicious attempts. I've been using it for years....

[ more ]  [ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus