Re: SSH attack

To: debian list <debian-user@lists.debian.org>
Subject: Re: SSH attack
From: Marty <martyb@ix.netcom.com>
Date: Tue, 11 Oct 2005 01:59:23 -0400
Message-id: <[🔎] 434B54BB.9080803@ix.netcom.com>
In-reply-to: <[🔎] Pine.LNX.3.96.1051010222735.3184A-100000@Maggie.Linux-Consulting.com>
References: <[🔎] Pine.LNX.3.96.1051010222735.3184A-100000@Maggie.Linux-Consulting.com>

Alvin Oga wrote:

On Tue, 11 Oct 2005, Marty wrote:

> grep whatever you like from the gazillion log files for ssh this and ssh
> that

I don't know what you're getting at here.   The idea is to get a realtime email alert.


one can get any and all kinds of alerts till you're blue ( satisfied )
	- just write it the way you like


The problem is that method I proposed, using hosts.deny, doesn't cover all
cases, no matter how much code I write.  I already gave one reason and
there are a few more I can think of.


if you use somebody else widgets, you are restricted to
what they did and what it does


That's fine and even preferable, if it does everything I need.


- if you are cracked or about to be cracked, you have less than 5 seconds
  to close the exploit before they can do the " rm -rf / "


The whole point is to respond to the breakin attempts as quickly as
possible, since most are not successful on the first attempt, and your
example presupposed that the attacker immediately gets root access on
the first attempt, which is not very likely.

Thanks, you just reminded me of two more items for my ssh hardening plan:

-deny root login

-turn off sshd access after a specified number of failed login attempts,
or any attempts outside the specific IP address range.


c ya
alvin

Reply to:

Follow-Ups:
- Re: SSH attack
  - From: Alvin Oga <aoga@mail.Linux-Consulting.com>

References:
- Re: SSH attack
  - From: Alvin Oga <aoga@mail.Linux-Consulting.com>

Prev by Date: Statically-linked binaries
Next by Date: Re: SSH attack
Previous by thread: Re: SSH attack
Next by thread: Re: SSH attack
Index(es):
- Date
- Thread