[Intrusions] brute force attack - tcp wrappers and iptables not helping?

Scott Mcintyre security at isnnetworks.net
Wed Apr 27 13:56:43 GMT 2005 

I have to agree, the most common attack we get on all of our servers 
was bruteforce.  Since we moved the ssh port, these attacks are barly 
seen.  Since they do not scan for our other ssh port.  Even though its 
easy to find, most of the scanners just scan for the default ssh port.

-Scott Mcintyre

> Hello,
> Our company servers receive this kind of attacks every day, the 
things
> that we've done and works ok for us are:
> -Change the default port to a higher one like 3560, or something like
> this.
> -don't permit the root access.
> -Create a user without a tipical name for the access, and after you 
can
> su to the desired user.
> 
> This things don't stop the scans but it make very dificult to a 
standar
> scan do something useful to the attacker.
> 
> 
> El mar, 26-04-2005 a las 16:07, Susanne Hemker escribió:
> > Hi everybody,
> > thanks for your suggestions and sorry I did not get back to you
> > earlier. 
> > 1) I tried to ssh from a host that is not on in 
my /etc/hosts.allow and
> > I do not get an ssh login, only : ssh_exchange_identification:
> > Connection closed by remote host. 
> > 2) The attacks come from different machines, some in Asia and some 
in
> > the U.S., but those look to me as if they were hacked already in 
and are
> > used to attack other computers. None of those IPs are in any way 
allowed
> > to log onto my workstation. 
> > 3) In the Iptables I have everything from the outside set to REJECT
> > (both IPv4 and IPv6).
> > 4) My "inside" hosts are on two subnets and those are listed in the
> > /etc/hosts.allow and set to" ACCEPT all" in the Iptables
> > 5) I do not have the hosts listed in the sshd_config, perhaps I 
should
> > change this and also change the authentication method (which is
> > PasswordAuthentication right now)
> > Any further suggestions on how they might have gotten to the
> > ssh-login?
> > Thanks,
> > Susanne
> >  
> > >>> Twalraven at counterpane.com 04/22/05 9:38 AM >>>
> > Susanne, I see your concern.  Properly configured IPTables rules 
and
> > TCPWrappers should prevent this.  Have you actually attempted to
> > access
> > the ssh service from a host outside of the lab yourself?
> > 
> > Tim Walraven,CISSP,CISM,CISA
> > Counterpane Internet Security
> > 
> > -----Original Message-----
> > From: intrusions-bounces at lists.sans.org 
> > [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Susanne 
Hemker
> > Sent: Thursday, April 21, 2005 10:24 AM
> > To: intrusions at lists.sans.org 
> > Subject: [Intrusions] brute force attack - tcp wrappers and 
iptables
> > nothelping?
> > 
> > Hi everybody,
> > 
> > somebody is trying to break into one of out workstations. 
> > The /var/log/secure contains lots of:
> > 
> >  Failed password for invalid user $name  from ::ffff:$IP  port 
$port
> > ssh2
> > 
> > from different IPs, ports and usernames.
> > 
> > Since the tcp wrappers and the iptables should not allow ssh login
> > from
> > 
> > any host outside our lab, I am wondering how he/she even got to 
the 
> > login. Any suggestions?
> > 
> > Thanks,
> > 
> > Susanne
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org 
> > http://www.dshield.org/mailman/listinfo/intrusions
> > 
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org 
> > http://www.dshield.org/mailman/listinfo/intrusions
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/intrusions
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
> 
>

More information about the Intrusions mailing list