Security Incidents mailing list archives

Re: Voluminous SSHd scanning; possible worm activity?

From: Jonathan Bloomquist <bocasolutions () yahoo com>
Date: Thu, 13 Dec 2001 05:58:52 -0800 (PST)


--- Bertrand Lupart <Bertrand.Lupart () iteam org> wrote:

    For my own part, on top of upgrading to the

latest versions of

SSHd, I'm recommending that folks utilize IPchains

or IPFilter to

reinforce their explicitly-defined AllowHosts

directives in sshd_config.

These measure in themselves should greatly

mitigate both the present (and

hopefully, future) threat of successful remote

attack on SSHd. 

Are we safe if the attack is run from a host not
listed as accepted in
access control files, ie:

/etc/hosts.deny:
ALL: ALL

/etc/hosts.allow:
sshd: www.xxx.yyy.zzz


Only services that are launched using tcpwrappers will
check the /etc/hosts.* files for access permissions.

Your can use tcpdchk to analyze your wrapper config:

%man 8 tcpdchk


       tcpdchk - tcp wrapper configuration checker



SYNOPSYS
       tcpdchk [-a] [-d] [-i inet_conf] [-v]



DESCRIPTION
       tcpdchk   examines  your  tcp  wrapper 
configuration  and reports all potential and real
problems it can  find.  The program   examines  the 
tcpd  access  control  files  (by default, these are
/etc/hosts.allow and  /etc/hosts.deny), and compares
the entries in these files against entries in
the inetd or tlid network configuration files.

tcpdchk reports problems such as  non-existent 
pathnames; services that appear in tcpd access control
rules, but are not controlled  by  tcpd;  services 
that  should  not  be wrapped;  non-existent  host
names or non-internet address forms; occurrences of
host  aliases  instead  of  official host  names; 
hosts with a name/address conflict; inappropriate use
of wildcard patterns; inappropriate use of  NIS
netgroups  or  references  to  non-existent NIS
netgroups; references to non-existent options; invalid
 arguments  to options; and so on.

Where  possible,  tcpdchk provides a helpful
suggestion to fix the problem.

hth

__________________________________________________
Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

RE: Voluminous SSHd scanning; possible worm activity?, (continued)
- RE: Voluminous SSHd scanning; possible worm activity? Schroeder, Eric (Dec 10)
  - RE: Voluminous SSHd scanning; possible worm activity? Jay D. Dyson (Dec 10)
  - Re: Voluminous SSHd scanning; possible worm activity? Markus Friedl (Dec 10)
- RE: Voluminous SSHd scanning; possible worm activity? Schroeder, Eric (Dec 10)
  - Re: Voluminous SSHd scanning; possible worm activity? Florian Weimer (Dec 10)
    - Re: Voluminous SSHd scanning; possible worm activity? Markus Friedl (Dec 11)
- RE: Voluminous SSHd scanning; possible worm activity? Gommers, Joep (Dec 11)
  - RE: Voluminous SSHd scanning; possible worm activity? Damien Miller (Dec 11)
  - RE: Voluminous SSHd scanning; possible worm activity? Jay D. Dyson (Dec 11)
    - Re: Voluminous SSHd scanning; possible worm activity? Bertrand Lupart (Dec 12)
    - Re: Voluminous SSHd scanning; possible worm activity? Jonathan Bloomquist (Dec 13)
  - RE: Voluminous SSHd scanning; possible worm activity? jon schatz (Dec 11)
    - Re: Voluminous SSHd scanning; possible worm activity? Markus Friedl (Dec 12)
- RE: Voluminous SSHd scanning; possible worm activity? Gommers, Joep (Dec 12)
- RE: Voluminous SSHd scanning; possible worm activity? Gommers, Joep (Dec 12)
- Re: Voluminous SSHd scanning; possible worm activity? Paul Gear (Dec 13)
  - Re: Voluminous SSHd scanning; possible worm activity? Sam Ferrell (Dec 14)