Re: SSH attack
Alvin Oga wrote:
On Tue, 4 Oct 2005, Henrique de Moraes Holschuh wrote:
On Mon, 03 Oct 2005, Marty wrote:
> Correction -- it's in the hosts.deny man page. As others have already
> pointed out, sshd must be configured to start via inetd.
Must it? It uses tcp-wrappers natively, it should not need inetd for
ANYTHING concerning /etc/hosts.allow or /etc/hosts.deny.
I should have said that inetd must be configured to start sshd,
if you want it to mail information on refused login attemts.
simple test ...
( use your positive or negative logic equivalents for these files )
ALL : ALL
I'm not sure that will work with the manpage example I gave.
At least you can get an equivalent effect by adding an entry
for each server started by inetd.
and try to make your ssh work .. when yu give yp ..
you'll find that you will need to have
sshd : 192.168.123.456
restart the inetd or sshd as needed
Don't forget to add your ssh entry in /etc/inetd.conf.
whether inetd is good or bad is a separate issue
Now that you menion it, this is probably not a good way to
detect failed ssh login attempts for two reasons: because
those packets should probably be blocked at the firewall;
and because it also won't report failed attempts on the
permitted IP address space.
Before suggesting that I skimmed over the ssh/sshd manpages
to see if they supported an automatic email alert option.
ssh did mention an option for supplying a users email address,
but I didn't find out what its used for.
At first I thought the best way to do this is in a network
monitoring tools, but I don't know whether such tools would
normally detect an application-level event like a failed
login attempt. As for tools that just monitor logs, I'm not
sure whether they can respond fast enough.