[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSH attack

Alvin Oga wrote:
On Tue, 11 Oct 2005, Marty wrote:

> grep whatever you like from the gazillion log files for ssh this and ssh
> that

I don't know what you're getting at here.   The idea is to get a realtime email alert.

one can get any and all kinds of alerts till you're blue ( satisfied )
	- just write it the way you like

The problem is that method I proposed, using hosts.deny, doesn't cover all
cases, no matter how much code I write.  I already gave one reason and
there are a few more I can think of.

if you use somebody else widgets, you are restricted to
what they did and what it does

That's fine and even preferable, if it does everything I need.

- if you are cracked or about to be cracked, you have less than 5 seconds
  to close the exploit before they can do the " rm -rf / "

The whole point is to respond to the breakin attempts as quickly as
possible, since most are not successful on the first attempt, and your
example presupposed that the attacker immediately gets root access on
the first attempt, which is not very likely.

Thanks, you just reminded me of two more items for my ssh hardening plan:

-deny root login

-turn off sshd access after a specified number of failed login attempts,
or any attempts outside the specific IP address range.

c ya

Reply to: