Security Incidents mailing list archives
Re: Voluminous SSHd scanning; possible worm activity?
From: Jonathan Bloomquist <bocasolutions () yahoo com>
Date: Thu, 13 Dec 2001 05:58:52 -0800 (PST)
--- Bertrand Lupart <Bertrand.Lupart () iteam org> wrote:
For my own part, on top of upgrading to thelatest versions ofSSHd, I'm recommending that folks utilize IPchainsor IPFilter toreinforce their explicitly-defined AllowHostsdirectives in sshd_config.These measure in themselves should greatlymitigate both the present (andhopefully, future) threat of successful remoteattack on SSHd. Are we safe if the attack is run from a host not listed as accepted in access control files, ie: /etc/hosts.deny: ALL: ALL /etc/hosts.allow: sshd: www.xxx.yyy.zzz
Only services that are launched using tcpwrappers will check the /etc/hosts.* files for access permissions. Your can use tcpdchk to analyze your wrapper config: %man 8 tcpdchk tcpdchk - tcp wrapper configuration checker SYNOPSYS tcpdchk [-a] [-d] [-i inet_conf] [-v] DESCRIPTION tcpdchk examines your tcp wrapper configuration and reports all potential and real problems it can find. The program examines the tcpd access control files (by default, these are /etc/hosts.allow and /etc/hosts.deny), and compares the entries in these files against entries in the inetd or tlid network configuration files. tcpdchk reports problems such as non-existent pathnames; services that appear in tcpd access control rules, but are not controlled by tcpd; services that should not be wrapped; non-existent host names or non-internet address forms; occurrences of host aliases instead of official host names; hosts with a name/address conflict; inappropriate use of wildcard patterns; inappropriate use of NIS netgroups or references to non-existent NIS netgroups; references to non-existent options; invalid arguments to options; and so on. Where possible, tcpdchk provides a helpful suggestion to fix the problem. hth __________________________________________________ Do You Yahoo!? Check out Yahoo! Shopping and Yahoo! Auctions for all of your unique holiday gifts! Buy at http://shopping.yahoo.com or bid at http://auctions.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Voluminous SSHd scanning; possible worm activity?, (continued)
- RE: Voluminous SSHd scanning; possible worm activity? Schroeder, Eric (Dec 10)
- RE: Voluminous SSHd scanning; possible worm activity? Jay D. Dyson (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Markus Friedl (Dec 10)
- RE: Voluminous SSHd scanning; possible worm activity? Schroeder, Eric (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Florian Weimer (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Markus Friedl (Dec 11)
- Re: Voluminous SSHd scanning; possible worm activity? Florian Weimer (Dec 10)
- RE: Voluminous SSHd scanning; possible worm activity? Gommers, Joep (Dec 11)
- RE: Voluminous SSHd scanning; possible worm activity? Damien Miller (Dec 11)
- RE: Voluminous SSHd scanning; possible worm activity? Jay D. Dyson (Dec 11)
- Re: Voluminous SSHd scanning; possible worm activity? Bertrand Lupart (Dec 12)
- Re: Voluminous SSHd scanning; possible worm activity? Jonathan Bloomquist (Dec 13)
- RE: Voluminous SSHd scanning; possible worm activity? jon schatz (Dec 11)
- Re: Voluminous SSHd scanning; possible worm activity? Markus Friedl (Dec 12)
- RE: Voluminous SSHd scanning; possible worm activity? Schroeder, Eric (Dec 10)
- RE: Voluminous SSHd scanning; possible worm activity? Gommers, Joep (Dec 12)
- RE: Voluminous SSHd scanning; possible worm activity? Gommers, Joep (Dec 12)
- Re: Voluminous SSHd scanning; possible worm activity? Paul Gear (Dec 13)
- Re: Voluminous SSHd scanning; possible worm activity? Sam Ferrell (Dec 14)