Security Basics mailing list archives
RE: SSH server under attack...
From: "Beauford, Jason" <jbeauford () EightInOnePet com>
Date: Wed, 25 Jan 2006 10:17:12 -0500
Can you lock down your Firewall to only allow a specific range of IP's to your SSH server? If your SSH users all reside within a certain area (like in the same general vacinity of your business), maybe you can pinpoint their ISP's and only allow access from those specific ranges. Or, identify the users allowed to log in via ssh and have them obtain their home IP's. Yes, ISP's allocate IP's to their Cable/DSL modems via DHCP, however its been my experience that once one of these modems (non diaul-up that is) obtains an IP, it usually retains the same IP. Maybe you can lock it down and drop all other packets. Another idea..Change the external IP of the SSH Server and toss in LABREA or a Honeypot running an SSH Server on the IP currently in use/under attack. Maybe you can set something up so that this guy will be occupied with the Honeypot enough to leave your real SSH server alone. If you can configure your honeypot ssh server with some basic username and pass and let him crack that. Set it up to log all events and maybe you can get enough info to catch this guy. If you do resolve the issue, can you share your procedures with the community? Good Luck. JMB | -----Original Message----- | From: Dave [mailto:dlaud.flux () gmail com] | Sent: Monday, January 23, 2006 4:41 PM | To: security-basics () securityfocus com | Subject: SSH server under attack... | | My SSH server has been under DoS and I cant stop it!!! | | --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: SSH server under attack..., (continued)
- RE: SSH server under attack... Matt Cunnane (Jan 26)
- Re: SSH server under attack... Frankie Li (Jan 26)
- Re: SSH server under attack... Matt Alexander (Jan 26)
- Re: SSH server under attack... unixadmin99 (Jan 26)
- Re: SSH server under attack... xyberpix (Jan 30)
- Re: SSH server under attack... Kenton Smith (Jan 25)
- Re: SSH server under attack... Timothy Hall (Jan 26)
- Re: SSH server under attack... hytham . a (Jan 26)
- Re: Re: SSH server under attack... bob (Jan 26)
- Re: SSH server under attack... pg_vlad (Jan 26)
- RE: SSH server under attack... Beauford, Jason (Jan 26)
- RE: SSH server under attack... Byrd, Gregory (Jan 26)
- Re: SSH server under attack... gmHumfrey (Jan 26)