[Intrusions] brute force attack - tcp wrappers and iptables not helping?
Suscripcions tsolucio
suscripcions at tsolucio.com
Wed Apr 27 13:43:19 GMT 2005
Hello,
Our company servers receive this kind of attacks every day, the things
that we've done and works ok for us are:
-Change the default port to a higher one like 3560, or something like
this.
-don't permit the root access.
-Create a user without a tipical name for the access, and after you can
su to the desired user.
This things don't stop the scans but it make very dificult to a standar
scan do something useful to the attacker.
El mar, 26-04-2005 a las 16:07, Susanne Hemker escribió:
> Hi everybody,
> thanks for your suggestions and sorry I did not get back to you
> earlier.
> 1) I tried to ssh from a host that is not on in my /etc/hosts.allow and
> I do not get an ssh login, only : ssh_exchange_identification:
> Connection closed by remote host.
> 2) The attacks come from different machines, some in Asia and some in
> the U.S., but those look to me as if they were hacked already in and are
> used to attack other computers. None of those IPs are in any way allowed
> to log onto my workstation.
> 3) In the Iptables I have everything from the outside set to REJECT
> (both IPv4 and IPv6).
> 4) My "inside" hosts are on two subnets and those are listed in the
> /etc/hosts.allow and set to" ACCEPT all" in the Iptables
> 5) I do not have the hosts listed in the sshd_config, perhaps I should
> change this and also change the authentication method (which is
> PasswordAuthentication right now)
> Any further suggestions on how they might have gotten to the
> ssh-login?
> Thanks,
> Susanne
>
> >>> Twalraven at counterpane.com 04/22/05 9:38 AM >>>
> Susanne, I see your concern. Properly configured IPTables rules and
> TCPWrappers should prevent this. Have you actually attempted to
> access
> the ssh service from a host outside of the lab yourself?
>
> Tim Walraven,CISSP,CISM,CISA
> Counterpane Internet Security
>
> -----Original Message-----
> From: intrusions-bounces at lists.sans.org
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Susanne Hemker
> Sent: Thursday, April 21, 2005 10:24 AM
> To: intrusions at lists.sans.org
> Subject: [Intrusions] brute force attack - tcp wrappers and iptables
> nothelping?
>
> Hi everybody,
>
> somebody is trying to break into one of out workstations.
> The /var/log/secure contains lots of:
>
> Failed password for invalid user $name from ::ffff:$IP port $port
> ssh2
>
> from different IPs, ports and usernames.
>
> Since the tcp wrappers and the iptables should not allow ssh login
> from
>
> any host outside our lab, I am wondering how he/she even got to the
> login. Any suggestions?
>
> Thanks,
>
> Susanne
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
More information about the Intrusions
mailing list