From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 5510 invoked from network); 7 Nov 2004 13:32:12 +0000 Received: from smtp.gentoo.org (156.56.111.197) by lists.gentoo.org with AES256-SHA encrypted SMTP; 7 Nov 2004 13:32:12 +0000 Received: from lists.gentoo.org ([156.56.111.196] helo=parrot.gentoo.org) by smtp.gentoo.org with esmtp (Exim 4.41) id 1CQn9Q-0001Tq-0e for arch-gentoo-security@lists.gentoo.org; Sun, 07 Nov 2004 13:32:12 +0000 Received: (qmail 15136 invoked by uid 89); 7 Nov 2004 13:31:48 +0000 Mailing-List: contact gentoo-security-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@gentoo.org Received: (qmail 5626 invoked from network); 7 Nov 2004 13:31:48 +0000 From: "Brian G. Peterson" To: gentoo-security@lists.gentoo.org Date: Sun, 7 Nov 2004 07:31:46 -0600 User-Agent: KMail/1.7.1 References: <418D310B.6050106@ahsoftware.de> <200411070710.21431.brian@braverock.com> <2C179793-30BF-11D9-915D-000A95C1BF32@linuxforce.org> In-Reply-To: <2C179793-30BF-11D9-915D-000A95C1BF32@linuxforce.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200411070731.46895.brian@braverock.com> Subject: Re: [gentoo-security] help blocking automated ssh scanning attack script X-Archives-Salt: a6ebe3d6-9895-4f95-8f6a-4c53df2def0f X-Archives-Hash: d28ff8b4eba90e5d5de2f8a25e8b82fc On Sunday 07 November 2004 07:16 am, Gary Nichols wrote: > Brian, > > Is there a reason that you have to run ssh on the default port of 22? > I haven't run ssh on port 22 in years due to all the menacing kiddies > out there with their scripts. > I know this doesn't answer your question, but just a suggestion. Yes, I frequently travel to and work from client companies with very restrictive outbound firewalls. Port 22 (and port 8080) are (usually) open on those firewalls, so my servers listen for ssh connections on those ports. ssh on my machines is also configured to only allow key-based authentication, only certain users are allowed to ssh into my boxen remotely from external IP's, etc..., so this script is *not* really a threat to me. I just want to shut it down before it totally litters my logs, if possible, and also perhaps help out people who don't have sshd as locked down as I do. The Gentoo forum thread here: http://forums.gentoo.org/viewtopic.php?t=210585 and here: http://forums.gentoo.org/viewtopic.php?t=210585&postdays=0&postorder=asc&start=36 talks about using iptables to detect port scans, which is what I use portsentry for. However, in most cases this script isn't doing a port scan, just attacking on port 22. > On Nov 7, 2004, at 6:10 AM, Brian G. Peterson wrote: > > Can anyone help me out with a simple log scanning script that could > > detect the > > 'illegal user xxx' strings in /var/log/secure and issue the > > "/sbin/iptables -I INPUT -s 221.232.128.2 -j DROP" command to shut > > these addresses down. Regards, - Brian -- gentoo-security@gentoo.org mailing list