Security Basics mailing list archives

RE: SSH server under attack...

From: "Beauford, Jason" <jbeauford () EightInOnePet com>
Date: Wed, 25 Jan 2006 10:17:12 -0500

Can you lock down your Firewall to only allow a specific range of IP's
to your SSH server?  If your SSH users all reside within a certain area
(like in the same general vacinity of your business), maybe you can
pinpoint their ISP's and only allow access from those specific ranges.
Or, identify the users allowed to log in via ssh and have them obtain
their home IP's.  Yes, ISP's allocate IP's to their Cable/DSL modems via
DHCP, however its been my experience that once one of these modems (non
diaul-up that is) obtains an IP, it usually retains the same IP.  Maybe
you can lock it down and drop all other packets.


Another idea..Change the external IP of the SSH Server and toss in
LABREA or a Honeypot running an SSH Server on the IP currently in
use/under attack.  Maybe you can set something up so that this guy will
be occupied with the Honeypot enough to leave your real SSH server
alone.  If you can configure your honeypot ssh server with some basic
username and pass and let him crack that.  Set it up to log all events
and maybe you can get enough info to catch this guy.

If you do resolve the issue, can you share your procedures with the
community?

Good Luck.  

JMB
 

        |  -----Original Message-----
        |  From: Dave [mailto:dlaud.flux () gmail com] 
        |  Sent: Monday, January 23, 2006 4:41 PM
        |  To: security-basics () securityfocus com
        |  Subject: SSH server under attack...
        |  
        |  My SSH server has been under DoS and I cant stop it!!!
        |  
        |  

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

RE: SSH server under attack..., (continued)
- RE: SSH server under attack... Matt Cunnane (Jan 26)
- Re: SSH server under attack... Frankie Li (Jan 26)
- Re: SSH server under attack... Matt Alexander (Jan 26)
- Re: SSH server under attack... unixadmin99 (Jan 26)
- Re: SSH server under attack... xyberpix (Jan 30)
- Re: SSH server under attack... Kenton Smith (Jan 25)
- Re: SSH server under attack... Timothy Hall (Jan 26)
- Re: SSH server under attack... hytham . a (Jan 26)
- Re: Re: SSH server under attack... bob (Jan 26)
- Re: SSH server under attack... pg_vlad (Jan 26)
- RE: SSH server under attack... Beauford, Jason (Jan 26)
- RE: SSH server under attack... Byrd, Gregory (Jan 26)
- Re: SSH server under attack... gmHumfrey (Jan 26)