[Intrusions] brute force attack - tcp wrappers and iptables not helping?
Susanne Hemker
shemker2 at jhmi.edu
Wed Apr 27 13:29:55 GMT 2005
Hi all,
0) The workstation is running Fedora Core 3.
1) There is no other firewall, only the Iptables and tcp wrappers on
the workstation itself.
2) The machines all have a public IP
3) I tried to ssh from an "outside" machine to the workstation and got:
ssh_exchange_identification: Connection closed by remote host, so at
least part of the security must work the way it should.
Any other info you need?
Thanks for your help.
Susanne
>>> dk at pwarchitects.com 04/22/05 7:30 PM >>>
Merton Campbell Crockett wrote:
> For the last year, there have been continual probes for open ssh
ports.
> They have not been subtle. It is not unusual to see several hundred
> different root passwords being attempted on a single pass.
Ditto here. I have a collection of 100 or so IP's (quiet subnet I
guess)
I've blocked in the last months. As I only allow certain users (only
with keys) to log in, it is a fairly easy script to suck out the
offenders from the logs and block them via iptables... Which I've done
with success.
> On the systems in question, I suspect that you have sshd running and
> sshd_conf isn't configured with IP address restrictions. Tcpwrappers
> wouldn't, necessarily, be called.
Most system don't run sshd via inetd OOTB do they? Some authentication
options could be tuned via PAM -- or not depending on the distro
(slackware, etc).
To the OP, Susanne:
I think were going to need more info that you provided to give you a
viable solution in your setting.
What flavor/distro of linux are you running? (I assume linux from
iptables)
What is the network topo (local firewall?, firewall on gateway?)
Is the machine on a public IP or private IP NATed to the Internet?
...
etc.
--
dk
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions
More information about the Intrusions
mailing list