Security Incidents mailing list archives
RE: Internet SSH scans
From: "Adriano Carvalho" <adriano.carvalho () urbi com br>
Date: Tue, 21 Mar 2006 16:20:46 -0200
Like me. When I want to connect to some machine, I must before get in a specific machine, and after I can connect in all the network. Many things can be done: 1) No root login 2) Only a specific User (AllowUsers option on sshd_config) 3) Only a specific machine 4) Some script to analyze the logs At the "specific machine", I change some things: 1) Always use high ports, never default port 2) Hide ssh service. How ? Try SAdoor (http://packetstormsecurity.org/UNIX/penetration/rootkits/index6.html)
From packetstorm:
"SADoor is a non-listening remote administration tool for Unix systems. It sets up a listener in non-promiscuous mode for a specific sequence of packets arriving to the interface before allowing command mode. The commands are sent Blowfish encoded in the TCP payload and decoded and passed on to system(3)." Its cool, and good to hide some services... Regards, Adriano. ---------- Forwarded Message ----------- From: mrbits () terra com br To: incidents () securityfocus com Sent: 3 Mar 2006 09:33:56 -0000 Subject: Re: Re: RE: Internet SSH scans These SSH scans are generated ( in most of cases ) by Linux Zombie machines, infected with a kind of worm used to get vulnerable hosts to install a PBSync IRC. I just changed my default SSH port and all attacks had stoped. Another way is run somethink like DenyHosts, a python-based daemon that scans logs and put the "attacker ip" into /etc/hosts.deny: SSHD:10.0.0.1 ( for example ). CheerS ------- End of Forwarded Message ------- -- Adriano Carvalho. Desenvolvedor do projeto Honeypot-BR www.netnix.com.br
Current thread:
- Re: Internet SSH scans, (continued)
- Re: Internet SSH scans Matt Rae (Mar 03)
- Re: Internet SSH scans Hugo J. Curti (Mar 06)
- RE: Internet SSH scans steve (Mar 02)
- RE: Internet SSH scans Peter Bassill (Mar 03)
- Re: RE: Internet SSH scans admin (Mar 03)
- Re: RE: Internet SSH scans Daxomatic (Mar 03)
- Re: RE: Internet SSH scans Christine Kronberg (Mar 03)
- Re: Internet SSH scans JK Adams (Mar 03)
- Re: RE: Internet SSH scans joakim . berge (Mar 03)
- Re: Re: RE: Internet SSH scans mrbits (Mar 03)
- RE: Internet SSH scans Adriano Carvalho (Mar 21)
- Re: Internet SSH scans Valdis . Kletnieks (Mar 22)
- Re: Internet SSH scans Adriano Carvalho (Mar 22)
- RE: Internet SSH scans Adriano Carvalho (Mar 21)
- RE: Internet SSH scans William Tarkington (Mar 03)
- Re: Internet SSH scans ilaiy (Mar 03)
- Re: Internet SSH scans Stephen J. Smoogen (Mar 03)
- RE: RE: Internet SSH scans Teodorski, Chris (Mar 03)
- Re: Re: Internet SSH scans notonyour (Mar 04)
- Re: RE: Internet SSH scans Michael . Lang (Mar 23)
- Re: Internet SSH scans Valdis . Kletnieks (Mar 23)