Re: SSH attack
On 10/03/2005 09:00 pm, Jared Hall wrote:
> I took care of it all last night a couple of minutes after I posted.
> Here's what I did.
> I looked at my logs and found that there was no successful root login.
> the reason netstat was showing another root connection from the
> mentioned ip is that the script kiddie was rapidly connecting to my
> sshd service and trying to crack root, and a whole bunch of
> nonexistent users. This machine only has two accounts on it, root,
> and my own. Both have extremely complicated passwords, so there's no
> way a script could have guessed it anyway. I couldn't kill the user
> because the connections were opening and closing too quickly. I
> blocked the ip using /etc/hosts.deny on each of my servers. The kids
> were looking at each of my ip's trying to find vulnerabilities... but
> not anymore. I sent to and email to email@example.com to let the
> administrator know that one of their users is using scripts to attack
> servers over ssh (possibly using a mix of names from some of my mail
> user accounts and common names). I'm waiting for a reply still.
> thanks for the input.
Do you know for sure that /etc/hosts.deny has anything to do with ssh?
I thought /etc/hosts.deny would only work with services that run from inetd or
xinetd, not with daemons.