[Dshield] SSH Bots

Timothy A. Holmes tholmes at mcaschool.net
Wed Mar 8 14:35:36 GMT 2006

This discussion has gotten me thinking - and cleaning up my act!!!

I have already reset my ssh to disallow root logins, and im wondering
what the next REASONABLE step is.  Some form of key based authentication
sounds interesting, but im a single person running an entire network,
and I don't have tons of hours to invest (yes, I know I also don't have
the weeks necessary to rebuild after an attack) im looking for the best
compromise between good security and ease of setup and administration.

My environment is mixed windows 2003 server / Fedora core 3/4 and /

All linux is heading toward Gentoo, but im stuck with the Windows stuff.

Suggestions, references, etc. are always appreciated

Timothy A. Holmes
IT Manager / Network Admin / Web Master / Computer Teacher
Medina Christian Academy
A Higher Standard...
Jeremiah 33:3
Jeremiah 29:11
Esther 4:14

> -----Original Message-----
> From: list-bounces at lists.dshield.org [mailto:list-
> bounces at lists.dshield.org] On Behalf Of Gutza
> Sent: Wednesday, March 08, 2006 6:33 AM
> To: General DShield Discussion List
> Subject: Re: [Dshield] SSH Bots
> Frank Knobbe wrote:
> >Dude, you're still using passwords? Get rid of those and use keys!
> >a bit harder to brute force a 2048 bit key :)
> >
> >
> Note: I'm not the original poster.
> Yeah, but it's a LOT harder to remember a 2048 bit key. So you tend to
> keep it on a computer. And when that gets penetrated for an unrelated
> reason, you end up with ALL of your accounts compromised on all
> computers. No, thanks.
> My solution was to maintain a whilelist. Of course, the issue here is
> maintaining it in a reasonable manner. What I did was to write a
> script which binds to a random (but stable) port -- you telnet the
> on that port, and if you give the proper command, it adds your IP to
> hosts.allow on SSH. Whenever I or someone else in the team is away,
> allow their temporary IP address and log in -- no extra risks involved
> and no real hassle.
> I know, I know, obscurity -- but it slashed my SSH probing to nil.
> Cheers,
> Bogdan
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own
> couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list