Re: SSH attack

[Pollywog <linux-debian@shadypond.com>]

On 10/03/2005 09:00 pm, Jared Hall wrote:
> I took care of it all last night a couple of minutes after I posted.
> Here's what I did.
>
> I looked at my logs and found that there was no successful root login.
>  the reason netstat was showing another root connection from the
> mentioned ip is that the script kiddie was rapidly connecting to my
> sshd service and trying to crack root, and a whole bunch of
> nonexistent users.    This machine only has two accounts on it, root,
> and my own. Both have extremely complicated passwords, so there's no
> way a script could have guessed it anyway.  I couldn't kill the user
> because the connections were opening and closing too quickly.  I
> blocked the ip using /etc/hosts.deny on each of my servers.  The kids
> were looking at each of my ip's trying to find vulnerabilities... but
> not anymore. I sent to and email to abuse@their.domain to let the
> administrator know that one of their users is using scripts to attack
> servers over ssh (possibly using a mix of names from some of my mail
> user accounts and common names).  I'm waiting for a reply still.
> thanks for the input.
> Jared

Do you know for sure that /etc/hosts.deny has anything to do with ssh?
I thought /etc/hosts.deny would only work with services that run from inetd or 
xinetd, not with daemons.


8)