[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: need help with openssh attack



It's always a good idea to move ssh not a non standard port,
so at least automated attacks are almost stopped.

André

Am 29.12.2011 15:50, schrieb Nikolay Yatsyshyn:
As a temporary solution you could use my ssh bruteforce preventing script of iptables

I use this to prevent ssh and ftp bruteforce where AAA.BBB.CCC.DDD is your trusted ip, which never will be blocked. This script will block ip, if it make >3 connections per 5 minute.

iptables -N SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshbr --set
iptables -A INPUT -p tcp --dport 22 --syn -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshbr --update --rttl --hitcount 3 --seconds 300 -j REJECT --reject-with tcp-reset
iptables -A SSH_WHITELIST -s AAA.BBB.CCC.DDD -p tcp --dport 22 --syn -m recent --rttl --remove

To increase security change MaxAuthTries 1 in /etc/ssh/sshd_config, so remote user can do only 2 connection attempts with 2 password retries.

On Thu, Dec 29, 2011 at 4:33 PM, Ville Tiensuu <ville@tiensuu.eu> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

Could you please paste /var/log/auth.log message of attack?
Are you sure about it's not any bruteforce attack or similar?
I think the problem is not in SSH server itself, it's in your server's
security. Are you using weak password, and allowing direct root access
to the server via SSH?
If problem persists in your other servers, try to use fail2ban or similar.

- -Ville

29.12.2011 16:04, Taz wrote:
> Hello, we've got various debian servers, about 15, with different
> versions. All of them have been attacked today and granted root
> access. Can anybody help? We can give ssh access to attacked
> machine, it seems to be serious ssh vulnerability.
>
> How can i contact openssh mnt?
>
> Thank you.
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJO/HokAAoJEFg15w+Y7E/mDL0IAItgyj5TSWgTILUE7l/cF7PS
BwG71ypgQf/uMlsNnkbylspnvBj9edZfKfer844NvrG6yJbLw25sNI4eOLlvO1xQ
nQJHwSNPhWVRHt3gwu5QlHSv0r0qbBdcXjQXDwqG6adp8qY3Qx7BIzvU0DThb08K
Kbk0/4WcUHb7GtphJUIENPnyaC6xksb413fyT2RW3/m3xm7bRWqXH5bSAvs4/NIP
1m9oqxPO+HNnTF1U1KV+fdubLGIYeMHrskKSubBQ7U/+mn7/uhANT6Ke4XFtWsu8
Mgwr11j2/trCTxBNJvAEyjdpK2/vn+LRgNF12THOeCVFNQcgVyY+iWwGddY6IyU=
=8DkS
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] 4EFC7A24.3030905@tiensuu.eu" target="_blank">http://lists.debian.org/[🔎] 4EFC7A24.3030905@tiensuu.eu






--
BR, Nikolay Yatsyshyn


-- 
Aarboard AG    Phone: +41 32 332 97 14
Egliweg 10     Fax:   +41 32 332 97 14
2560 Nidau
Switzerland    www.aarboard.ch

Reply to: