Re: Voluminous SSHd scanning; possible worm activity?

[Sam Ferrell <ferrell () tns utk edu>]

There are options like AllowHosts and DenyHosts in the sshd2_config file
as well as other controls to prevent root from being able to ssh.

Sam


On Fri, 14 Dec 2001, Paul Gear wrote:

> > --- Bertrand Lupart <Bertrand.Lupart () iteam org> wrote:
> > > >         For my own part, on top of upgrading to the latest versions of SSHd,
> > > >         I'm recommending that folks utilize IPchains or IPFilter to reinforce
> > > >         their explicitly-defined AllowHosts directives in sshd_config.  These
> > > >         measure in themselves should greatly mitigate both the present (and
> > > >         hopefully, future) threat of successful remote attack on SSHd.
> > >
> > > Are we safe if the attack is run from a host not listed as accepted in
> > > access control files, ie:
> > >
> > > /etc/hosts.deny:
> > > ALL: ALL
> > >
> > > /etc/hosts.allow:
> > > sshd: www.xxx.yyy.zzz
> >
> > Only services that are launched using tcpwrappers will check the
> > /etc/hosts.* files for access permissions.
> >
> > Your can use tcpdchk to analyze your wrapper config:
>
> That's not strictly true.  Anything that uses libwrap uses it, which includes
> recent versions of OpenSSH (at least on Red Hat Linux - i believe it's a
> compile-time option).
>
> PDG
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com