Re: sshd attack?

To: debian-security@lists.debian.org
Subject: Re: sshd attack?
From: Jörgen Persson <jpn@tlth.lth.se>
Date: Wed, 15 Aug 2001 09:59:27 +0200
Message-id: <[🔎] 20010815095927.A16878@tlth.lth.se>
Mail-followup-to: Jörgen Persson <jpn@tlth.lth.se>, debian-security@lists.debian.org
In-reply-to: <[🔎] 002401c1255d$3095e280$406a3c86@wohnheim.uniulm.de>; from Siegbert.Baude@gmx.de on Wed, Aug 15, 2001 at 09:37:51AM +0200
References: <[🔎] 002401c1255d$3095e280$406a3c86@wohnheim.uniulm.de>

On Wed, Aug 15, 2001 at 09:37:51AM +0200, Siegbert Baude wrote:
> Hello,
> 
> I get about 100 log entries of the following pattern:
> 
> Aug 14 01:29:01 myserver sshd[27175]: Disconnecting: crc32 compensation
> attack: network attack detected
> 
> 
> What´s this?

I do not know.

> How can I find out, from where this attack is originating? Must I increase
> the verbositiy level of sshd to achieve this?

sshd might be able to do it. I'm logging the originating adress through
my internet services daemon. I happen to use tcpserver[1] but inetd[2]
and xinetd[3] ought to be able to do it as well. A second alternative is
to do it through a tcpwrapper like Venemas[4].

Jörgen
[1] http://cr.yp.to/ucspi.tcp/tcpserver.html
[2] ftp://ftp.uk.linux.org/pub/linux/Networking/netkit/
[3] http://www.xinetd.org/
[4] ftp://ftp.porcupine.org/pub/security/

Reply to:

Follow-Ups:
- Re: sshd attack?
  - From: matthew@sackman.co.uk (Matthew Sackman)
- Re: sshd attack?
  - From: Andres Salomon <dilinger@mp3revolution.net>

References:
- sshd attack?
  - From: "Siegbert Baude" <Siegbert.Baude@gmx.de>

Prev by Date: Re: sshd attack?
Next by Date: Re: Mutt and inline gpg
Previous by thread: Re: sshd attack?
Next by thread: Re: sshd attack?
Index(es):
- Date
- Thread