Re: Voluminous SSHd scanning; possible worm activity?

[Paul Gear <paulgear () gear dyndns org>]

> --- Bertrand Lupart <Bertrand.Lupart () iteam org> wrote:
> > >   For my own part, on top of upgrading to the latest versions of SSHd,
> > >   I'm recommending that folks utilize IPchains or IPFilter to reinforce
> > >   their explicitly-defined AllowHosts directives in sshd_config.  These
> > >   measure in themselves should greatly mitigate both the present (and
> > >   hopefully, future) threat of successful remote attack on SSHd. 
> >
> > Are we safe if the attack is run from a host not listed as accepted in
> > access control files, ie:
> >
> > /etc/hosts.deny:
> > ALL: ALL
> >
> > /etc/hosts.allow:
> > sshd: www.xxx.yyy.zzz
>
> Only services that are launched using tcpwrappers will check the
> /etc/hosts.* files for access permissions.
>
> Your can use tcpdchk to analyze your wrapper config:

That's not strictly true.  Anything that uses libwrap uses it, which includes
recent versions of OpenSSH (at least on Red Hat Linux - i believe it's a
compile-time option).

PDG

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com