Re: SSH Cracking Attempts
On Wed, 29 Sep 2004 16:13:10 -0500, Jacob S <stormspotter@6texans.net> wrote:
> On Wed, 29 Sep 2004 16:10:58 -0400
> Nicolas <ripley@8d.com> wrote:
>
> >
> > > So, my question is this. Is there a way to tell ssh to refuse
> > > connections from an ip address after a certain number of failed
> > > login attempts, or is snort the only way to do something like this?
> > > So far I've been taking the manual approach, blocking the ip address
> > > with my firewall after I see it hitting the logs, but that can give
> > > them about an hour to play before I notice it (e-mailed to me by
> > > logcheck).
> > >
> > > Any suggestions?
> >
> > If you dont have to much user who log in your server, you can allow
> > only them from specific IP to log in. Or you can disable the password
> > facility and only use keys (we do it this way at the job, It's also
> > what I do at home).
>
> That would work for the server that's currently having problems, but not
> all of my servers, unfortunately.
>
> > Nic Cola
> >
> > P.S.
> > Just for the fun of it, you can also tarpit the IP of the script
> > kiddy ;o)
>
> I'd love to, but I need a way to automate it to make it practical. I'm
> noticing that very few of these attempts are coming from cable or dsl
> users. Most of them seem to be coming from some remote machine inside a
> large webhosting company. I haven't been able to determine if the box
> was taken over by crackers or the users are abusing it; though my guess
> is crackers. Either way they're a pest.
>
I've read this reported some times ago on the full-disclosure mailing
list, someone was worried about a new SSH exploit, i don't recall the
details but seems there's a script that tries some weak
username/password combinations...
Andrea
Reply to: