[Intrusions] brute force attack - tcp wrappers andiptables not helping?
Susanne Hemker
shemker2 at jhmi.edu
Wed Apr 27 15:25:51 GMT 2005
Hi Donald,
the reverse lookup on the IP work fine (I used dig -x). It is mostly
private homepages and I doubt that those people are really trying to
attack the workstation, it is more likely that they have been hacked
into already. They thing I really want to know is, how did they get to
the ssh login in the first place? I understood all the things you guy
suggested on how to secure my workstation, but I am just curios how they
got past the tcp wrapper.
Thanks,
Susanne
>>> Donald.Smith at qwest.com 04/27/05 9:57 AM >>>
A few questions/comments inline below.
donald.smith at qwest.com giac
> -----Original Message-----
> From: intrusions-bounces at lists.sans.org
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Susanne
Hemker
> Sent: Tuesday, April 26, 2005 8:08 AM
> To: intrusions at lists.sans.org
> Subject: RE: [Intrusions] brute force attack - tcp wrappers
> andiptables not helping?
>
>
> Hi everybody,
> thanks for your suggestions and sorry I did not get back to
> you earlier.
> 1) I tried to ssh from a host that is not on in my
> /etc/hosts.allow and I do not get an ssh login, only :
> ssh_exchange_identification: Connection closed by remote host.
Which means you completed a tcp 3 way handshake but were refused by
the
sshd ( probably tcp wrappers not ip tables)!
ip tables should have refused the connection before the threeway
handshake was completed.
> 2) The attacks come from different machines, some in Asia and
> some in the U.S., but those look to me as if they were hacked
> already in and are used to attack other computers. None of
> those IPs are in any way allowed to log onto my workstation.
What are those IPs and what does your dns resolver return when you ask
for a reverse ip lookup?
With all the dns poisoning, hijacking etc there may be a way to trick
your filters depending on the return hostname for that reverse ip
lookup.
> 3) In the Iptables I have everything from the outside set to
> REJECT (both IPv4 and IPv6).
> 4) My "inside" hosts are on two subnets and those are listed
> in the /etc/hosts.allow and set to" ACCEPT all" in the Iptables
> 5) I do not have the hosts listed in the sshd_config, perhaps
> I should change this and also change the authentication
> method (which is PasswordAuthentication right now) Any
> further suggestions on how they might have gotten to the
> ssh-login? Thanks, Susanne
>
> >>> Twalraven at counterpane.com 04/22/05 9:38 AM >>>
> Susanne, I see your concern. Properly configured IPTables
> rules and TCPWrappers should prevent this. Have you actually
> attempted to access the ssh service from a host outside of
> the lab yourself?
>
> Tim Walraven,CISSP,CISM,CISA
> Counterpane Internet Security
>
> -----Original Message-----
> From: intrusions-bounces at lists.sans.org
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Susanne
Hemker
> Sent: Thursday, April 21, 2005 10:24 AM
> To: intrusions at lists.sans.org
> Subject: [Intrusions] brute force attack - tcp wrappers and
> iptables nothelping?
>
> Hi everybody,
>
> somebody is trying to break into one of out workstations.
> The /var/log/secure contains lots of:
>
> Failed password for invalid user $name from ::ffff:$IP
> port $port ssh2
>
> from different IPs, ports and usernames.
>
> Since the tcp wrappers and the iptables should not allow ssh
> login from
>
> any host outside our lab, I am wondering how he/she even got to the
> login. Any suggestions?
>
> Thanks,
>
> Susanne
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions
More information about the Intrusions
mailing list