[Intrusions] brute force attack - tcp wrappers and iptables not helping?
dk
dk at pwarchitects.com
Fri Apr 22 23:30:08 GMT 2005
Merton Campbell Crockett wrote:
> For the last year, there have been continual probes for open ssh ports.
> They have not been subtle. It is not unusual to see several hundred
> different root passwords being attempted on a single pass.
Ditto here. I have a collection of 100 or so IP's (quiet subnet I guess)
I've blocked in the last months. As I only allow certain users (only
with keys) to log in, it is a fairly easy script to suck out the
offenders from the logs and block them via iptables... Which I've done
with success.
> On the systems in question, I suspect that you have sshd running and
> sshd_conf isn't configured with IP address restrictions. Tcpwrappers
> wouldn't, necessarily, be called.
Most system don't run sshd via inetd OOTB do they? Some authentication
options could be tuned via PAM -- or not depending on the distro
(slackware, etc).
To the OP, Susanne:
I think were going to need more info that you provided to give you a
viable solution in your setting.
What flavor/distro of linux are you running? (I assume linux from iptables)
What is the network topo (local firewall?, firewall on gateway?)
Is the machine on a public IP or private IP NATed to the Internet?
...
etc.
--
dk
More information about the Intrusions
mailing list