[unisog] step up in SSH scanning starting today?

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Tue May 13 19:47:21 GMT 2008


On Tue, 13 May 2008 13:28:33 EDT, "Couples, Christopher" said:

> As a side note, someone mentioned autoban to programmatically add
> brute-forcing hosts to hosts.deny; I'd also like to plug denyhosts, a python
> script that can also be found on sourceforge. Are there other tools that are
> widely in use, or are most folks simply rolling their own?

The *best* solution, although not practiced as widely as one would hope, is
to use iptables to limit what address ranges a connection can come from. For
example, one server we have here has iptables rules to only allow inbound
SSH from our two /16s, and one or two /16s that belong to local cable/dsl
providers that serve our sysadmin's home connections.  As far as we're
concerned, those 4 /16's can connect, and the other 65,532 /16s can go find
someplace else to bother.  Greatly cuts down the log noise. ;)

If you have sysadmins that travel, port-knocking is sometimes an option:

http://www.debian-administration.org/articles/268

For added fun - require one or two knocks on *udp* ports, or xmas-tree packets,
and use hping2 to send the required bits.. ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/unisog/attachments/20080513/e950e812/attachment.bin 


More information about the unisog mailing list