[Dshield] SSH Bots

Frank Knobbe frank at knobbe.us
Thu Mar 9 01:16:50 GMT 2006


On Wed, 2006-03-08 at 13:33 +0200, Gutza wrote:
> Yeah, but it's a LOT harder to remember a 2048 bit key. So you tend to
> keep it on a computer. And when that gets penetrated for an unrelated
> reason, you end up with ALL of your accounts compromised on all
> computers. No, thanks.

uhm... "man ssh-keygen". Key are usually protected with pass-phrases.
That means if someone got a a hold of your private key, he will still
have to brute the pass-phrase. 

> My solution was to maintain a whilelist. Of course, the issue here is
> maintaining it in a reasonable manner.

Of course, if you can limit the source addresses via firewall rules or
"AllowUsers" statements in sshd_config, that would be preferred.

>  What I did was to write a simple
> script which binds to a random (but stable) port -- you telnet the host
> on that port, and if you give the proper command, it adds your IP to
> hosts.allow on SSH. Whenever I or someone else in the team is away, they
> allow their temporary IP address and log in -- no extra risks involved
> and no real hassle.
> 
> I know, I know, obscurity -- but it slashed my SSH probing to nil.

So does simply changing the SSH port ;)

-Frank

-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20060308/f5d81241/attachment.bin


More information about the list mailing list