Re: SSH attack
Quoting Jared Hall <jrhall@gmail.com>:
I took care of it all last night a couple of minutes after I posted.
Here's what I did.
I looked at my logs and found that there was no successful root login.
the reason netstat was showing another root connection from the
mentioned ip is that the script kiddie was rapidly connecting to my
sshd service and trying to crack root, and a whole bunch of
nonexistent users. This machine only has two accounts on it, root,
and my own. Both have extremely complicated passwords, so there's no
way a script could have guessed it anyway. I couldn't kill the user
because the connections were opening and closing too quickly. I
blocked the ip using /etc/hosts.deny on each of my servers. The kids
were looking at each of my ip's trying to find vulnerabilities... but
not anymore. I sent to and email to abuse@their.domain to let the
administrator know that one of their users is using scripts to attack
servers over ssh (possibly using a mix of names from some of my mail
user accounts and common names). I'm waiting for a reply still.
thanks for the input.
Jared
I highly recommend the use of shorewall for something like this. A
simple line
in the rules file as all you need:
ACCEPT net $FW tcp 22 - -
1/min:2
That accepts ssh connections at a rate of 1 per minute, with a burst of 2. If
you mess up your own login twice, then it shouldn't be too much of an
inconvenience to wait 60 seconds. Also, for goodness sake, please disallow
root login via ssh.
-Roberto
--
Roberto C. Sanchez
http://familiasanchez.net/~roberto
Reply to: