Re: Advice on dealing with scripted SSH attacks? - openssh
This is a discussion on Re: Advice on dealing with scripted SSH attacks? - openssh ; You can also Wrap sshd within xinetd
service ssh
{
flags =3D REUSE
socket_type =3D stream
wait =3D no
user =3D root
protocol =3D tcp
server =3D /usr/sbin/sshd
server_args =3D -i
log_type =3D FILE /var/log/sshdlog
log_on_success =3D HOST PID DURATION ...
-
Re: Advice on dealing with scripted SSH attacks?
You can also Wrap sshd within xinetd
service ssh
{
flags =3D REUSE
socket_type =3D stream
wait =3D no
user =3D root
protocol =3D tcp
server =3D /usr/sbin/sshd
server_args =3D -i
log_type =3D FILE /var/log/sshdlog
log_on_success =3D HOST PID DURATION EXIT
log_on_failure =3D HOST ATTEMPT
disable =3D no
}
Shutdown sshd itself and bounce xinetd. then the hosts.allow and/or
hosts.deny work.
On 3/28/06, Joseph Spenner wrote:
> --- "Zembower, Kevin" wrote:
>
> > What's the current advice on dealing with scripts
> > that repeatedly try to
> > log onto SSH using a list of common usernames and
> > 'password' for the
> > password? I get up to 4,000 of these a day from a
> > single server. In
> > searching Google on this, I've learned of techniques
> > using PAM and
> > firewall rules that are created dynamically in
> > response to log-in
> > attempts.
> >
>
> I've seen systems where an entry is made in
> /etc/hosts.allow for sshd: for the offending IP if too
> many attempts are detected. But in order for this to
> work, your sshd must be compiled with tcp_wrappers
> support.
> I see this sort of attack a lot, and if the attacking
> script hits a tcp wrapped ssh, it will stop
> immediately. After a few minutes/hours, the entry can
> be removed from hosts.allow (or not).
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
