Re: SSH attack

[Marty <martyb@ix.netcom.com>]

Landy Bible wrote:
> Marty wrote:
>
> > -configure the ssh server to report any successful ssh login using email,
> > and/or send a page or cell phone alert

I can only guess at this point because I've not tried it.

A crude example might be using a login script to detect whether the shell is
starting in an ssh session, e.g:

if [ "`pidof ssh`" != "" ]
do
  /usr/bin/mail  -s "ssh login at `date`" myaddr@mydomain.com<tail /var/log/authlog
  ...

Here I might call chat or a similar program to send the page or phone alert, using
a modem in the system that's not used for my main internet connection.

I would run something like this on the gateway/firewall and/or on an internal system
which has ssh forwarded to it.  I'm not sure which method would be more secure.


> > -do the same for mutliple failed connection attempts 
> Could some one point me at a way to do this?

There are probably special tools for this, but an easy way is to use inetd:

From http://www.freeos.com/articles/2896/:

  If you would like to know about the failed connection attempts to your
  machine then change the above entry to the following [in /etc/hosts.deny].

  ALL:ALL:/bin/mail -s "%s connection attempt from %c" freeos@localhost

The inetd man page gives an example for use with a specific service:

       /etc/hosts.deny:
          in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \
               /usr/bin/mail -s %d-%h root) &

An example using the "SPAWN" command is given here:
http://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html#s-tcpwrappers

       ALL: ALL: SPAWN ( \
         echo -e "\n\
         TCP Wrappers\: Connection refused\n\
         By\: $(uname -n)\n\
         Process\: %d (pid %p)\n\
         User\: %u\n\
         Host\: %c\n\
         Date\: $(date)\n\
       " | /usr/bin/mail -s "Connection to %d blocked" root) &