[gentoo-user] SSH authentication attempts - serious issue

[gentoo-user] SSH authentication attempts - serious issue

[Leandro Melo de Sales]

Hi,

   today when I was checking the server log I got many external
attempts to connect to my sshd service:

...
Jun  5 05:09:45 embedded sshd[4740]: Invalid user barbara from x.y.w.z
Jun  5 05:09:46 embedded sshd[4742]: Invalid user barb from x.y.w.z
Jun  5 05:09:48 embedded sshd[4744]: Invalid user barbie from x.y.w.z
Jun  5 05:09:50 embedded sshd[4746]: Invalid user barbra from x.y.w.z
Jun  5 05:09:51 embedded sshd[4748]: Invalid user barman from x.y.w.z
Jun  5 05:09:53 embedded sshd[4750]: Invalid user barney from x.y.w.z
...

this seems to be a brute force attack, but one thing that worried me
is why sshd didn't disconnect the remote host after 3 unsuccessful
attemps? If we see in the log, there are many attemps with time
interval between attemps of 2 or 3 seconds meaning that the sshd
didn't disconnect the remote host after 3 attempts.
 So, first, Am I thinking correct about the sshd attempts?
 Second, how can I setup sshd or the entire system to permit just 2 or
3 attempts of authentication? I was checking the /etc/login.defs file
and I see the following option:

#
# Max number of login retries if password is bad
#
LOGIN_RETRIES           3

but why this didn't work for the above connection attempts?

Thank you,

Leandro.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH authentication attempts - serious issue

[Oliver Schmidt]

> Hi,
>
>    today when I was checking the server log I got many external
> attempts to connect to my sshd service:
>
> ...
> Jun  5 05:09:45 embedded sshd[4740]: Invalid user barbara from x.y.w.z
> Jun  5 05:09:46 embedded sshd[4742]: Invalid user barb from x.y.w.z
> Jun  5 05:09:48 embedded sshd[4744]: Invalid user barbie from x.y.w.z
> Jun  5 05:09:50 embedded sshd[4746]: Invalid user barbra from x.y.w.z
> Jun  5 05:09:51 embedded sshd[4748]: Invalid user barman from x.y.w.z
> Jun  5 05:09:53 embedded sshd[4750]: Invalid user barney from x.y.w.z
> ...
>
> this seems to be a brute force attack, but one thing that worried me
> is why sshd didn't disconnect the remote host after 3 unsuccessful
> attemps? If we see in the log, there are many attemps with time
> interval between attemps of 2 or 3 seconds meaning that the sshd
> didn't disconnect the remote host after 3 attempts.
>  So, first, Am I thinking correct about the sshd attempts?
>  Second, how can I setup sshd or the entire system to permit just 2 or
> 3 attempts of authentication? I was checking the /etc/login.defs file
> and I see the following option:
>

Try use Denyhosts ... no problem with bruteforce attacks anymore. Denyhosts
add the IP of the attacker to the /etc/hosts.deny file.
Install it with:
ACCEPT_KEYWORDS="~x86" emerge denyhosts
and add to your /etc/crontab
*/10 * * * * root python /usr/bin/denyhosts -c /etc/denyhosts.conf

Use it now for more then a year... its perfect to block bruteforce attacks.

cheers
Oli


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH authentication attempts - serious issue

[Richard Broersma Jr]

> Try use Denyhosts ... no problem with bruteforce attacks anymore. Denyhosts
> add the IP of the attacker to the /etc/hosts.deny file.
> Install it with:
> ACCEPT_KEYWORDS="~x86" emerge denyhosts
> and add to your /etc/crontab
> */10 * * * * root python /usr/bin/denyhosts -c /etc/denyhosts.conf
> 
> Use it now for more then a year... its perfect to block bruteforce attacks.

Also, you can edit your denyhost conf file to report affending IP to their denyhosts server and
also download an updated list of affending IP that other community members have reported.  Using
this feature, you wont give "crackers" a first chance at getting to your server.

Regards,

Richard Broersma
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH authentication attempts - serious issue

[Willie Wong]

On Mon, Jun 05, 2006 at 05:27:24PM +0200, Oliver Schmidt wrote:
> > this seems to be a brute force attack, but one thing that worried me
> > is why sshd didn't disconnect the remote host after 3 unsuccessful
> > attemps? If we see in the log, there are many attemps with time
> > interval between attemps of 2 or 3 seconds meaning that the sshd
> > didn't disconnect the remote host after 3 attempts.
> >  So, first, Am I thinking correct about the sshd attempts?
> >  Second, how can I setup sshd or the entire system to permit just 2 or
> > 3 attempts of authentication? I was checking the /etc/login.defs file
> > and I see the following option:

Please tell me if I am wrong, but IIRC, each connection attempt to sshd calls 
one instance of login, so altough the LOGIN_RETRIES option sets 3 attempts 
before the program exits, an ip address is free to initiate another connection.

There has been many discussions on this list in the past 18 months regarding 
this very issue (blocking brute-force ssh attempts). A search on gmane should
give you some ideas about how to use iptables to filter out the offending
ip addresses but limiting number of connections allowed per time period. 
 
> Try use Denyhosts ... no problem with bruteforce attacks anymore. Denyhosts
> add the IP of the attacker to the /etc/hosts.deny file.
> Install it with:
> ACCEPT_KEYWORDS="~x86" emerge denyhosts
> and add to your /etc/crontab
> */10 * * * * root python /usr/bin/denyhosts -c /etc/denyhosts.conf
> 
> Use it now for more then a year... its perfect to block bruteforce attacks.
> 

Hey, this is a great program. If it were in portage earlier I wouldn't have 
needed to write my own solution to the problem. (I use a perl script to 
parse /var/log/pwdfail and drop the connection at the firewall.) 

According to the homepage of denyhosts, it should be able to run in daemon mode,
by following the log file. Is there any reason you prefer running it in crontab 
instead of as a daemon? I am asking because judging from my past experiences, 
the attackers often send out multiple attempts per second, so a */10 would 
let in upwards of 30 attempts before denyhosts picks up.

Best, 

W
-- 
Willie W. Wong
wwong@math.princeton.edu
brought to you by the Roman letter i, the Hebrew letter \aleph, the Greek
letter \pi, and the non-letter \hbar
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH authentication attempts - serious issue

[Leandro Melo de Sales]

How can I recompiler openssh to support tcpwrapper? I can't find
/etc/hosts.allow neither /etc/hosts.deny. Is there something missing?
Is there a way to put tcpwrapper as a turned on option for all
programs that supports it?

Specifically for openssh I edit /etc/portage/package.use file and put:

net-misc/openssh tcpwrapper, but I got this:

# emerge --pretend openssh

These are the packages that I would merge, in order:

Calculating dependencies ...done!
[ebuild   R   ] net-misc/openssh-4.3_p2-r1

I want to see +tcpwrapper...

Leandro

2006/6/5, Oliver Schmidt <oli@kernelpanic.ch>:
> > Hi,
> >
> >    today when I was checking the server log I got many external
> > attempts to connect to my sshd service:
> >
> > ...
> > Jun  5 05:09:45 embedded sshd[4740]: Invalid user barbara from x.y.w.z
> > Jun  5 05:09:46 embedded sshd[4742]: Invalid user barb from x.y.w.z
> > Jun  5 05:09:48 embedded sshd[4744]: Invalid user barbie from x.y.w.z
> > Jun  5 05:09:50 embedded sshd[4746]: Invalid user barbra from x.y.w.z
> > Jun  5 05:09:51 embedded sshd[4748]: Invalid user barman from x.y.w.z
> > Jun  5 05:09:53 embedded sshd[4750]: Invalid user barney from x.y.w.z
> > ...
> >
> > this seems to be a brute force attack, but one thing that worried me
> > is why sshd didn't disconnect the remote host after 3 unsuccessful
> > attemps? If we see in the log, there are many attemps with time
> > interval between attemps of 2 or 3 seconds meaning that the sshd
> > didn't disconnect the remote host after 3 attempts.
> >  So, first, Am I thinking correct about the sshd attempts?
> >  Second, how can I setup sshd or the entire system to permit just 2 or
> > 3 attempts of authentication? I was checking the /etc/login.defs file
> > and I see the following option:
> >
>
> Try use Denyhosts ... no problem with bruteforce attacks anymore. Denyhosts
> add the IP of the attacker to the /etc/hosts.deny file.
> Install it with:
> ACCEPT_KEYWORDS="~x86" emerge denyhosts
> and add to your /etc/crontab
> */10 * * * * root python /usr/bin/denyhosts -c /etc/denyhosts.conf
>
> Use it now for more then a year... its perfect to block bruteforce attacks.
>
> cheers
> Oli
>
>
> --
> gentoo-user@gentoo.org mailing list
>
>
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH authentication attempts - serious issue

[Justin R Findlay]

On Mon, Jun 05, 2006 at 02:15:34PM -0300, Leandro Melo de Sales wrote:
> How can I recompiler openssh to support tcpwrapper? I can't find
> /etc/hosts.allow neither /etc/hosts.deny. Is there something missing?
> Is there a way to put tcpwrapper as a turned on option for all
> programs that supports it?

I'm pretty sure if you have neither a hosts.allow nor a hosts.deny then
there is no special restrictions/allowances made against any remote
hosts, see the man pages for hosts.allow, hosts.deny.

> Specifically for openssh I edit /etc/portage/package.use file and put:
> 
> net-misc/openssh tcpwrapper, but I got this:
> 
> # emerge --pretend openssh
> 
> I want to see +tcpwrapper...

you should try:

# emerge --pretend --verbose openssh

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R   ] net-misc/openssh-4.3_p2-r1  USE="ipv6 pam tcpd -X509
-chroot -hpn -kerberos -ldap -libedit -sftplogging -skey -smartcard
-static" 0 kB

and it looks like the tcpwrapper flag is 'tcpd', not 'tcpwrapper'.


Justin
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH authentication attempts - serious issue

[Jeremy Olexa]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Leandro Melo de Sales wrote:
> How can I recompiler openssh to support tcpwrapper? I can't find
> /etc/hosts.allow neither /etc/hosts.deny. Is there something missing?
> Is there a way to put tcpwrapper as a turned on option for all
> programs that supports it?

You have to create those files yourself. Check the man pages for details.

> Specifically for openssh I edit /etc/portage/package.use file and put:
> 
> net-misc/openssh tcpwrapper, but I got this:
> 
> # emerge --pretend openssh
> 
> These are the packages that I would merge, in order:
> 
> Calculating dependencies ...done!
> [ebuild   R   ] net-misc/openssh-4.3_p2-r1

emerge -pv openssh to see the use flags

> I want to see +tcpwrapper...
> 
> Leandro
> 


- --
Jeremy Olexa
(olexa@cs.umn.edu)
Office: EE/CS 1-201
CS/IT Systems Staff
University of Minnesota

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEhK5QFN7pD9kMi/URAjUOAJ9R8k2MFroPIARt416uCTYVBYKg+wCfdETZ
12tlmhjYe7G2FkI0lJvw/lI=
=KafU
-----END PGP SIGNATURE-----
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH authentication attempts - serious issue

[Leandro Melo de Sales]

2006/6/5, Jeremy Olexa <olexa@cs.umn.edu>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Leandro Melo de Sales wrote:
> > How can I recompiler openssh to support tcpwrapper? I can't find
> > /etc/hosts.allow neither /etc/hosts.deny. Is there something missing?
> > Is there a way to put tcpwrapper as a turned on option for all
> > programs that supports it?
>
> You have to create those files yourself. Check the man pages for details.
>
> > Specifically for openssh I edit /etc/portage/package.use file and put:
> >
> > net-misc/openssh tcpwrapper, but I got this:
> >
> > # emerge --pretend openssh
> >
> > These are the packages that I would merge, in order:
> >
> > Calculating dependencies ...done!
> > [ebuild   R   ] net-misc/openssh-4.3_p2-r1
>
> emerge -pv openssh to see the use flags
>
> > I want to see +tcpwrapper...
> >
> > Leandro
> >
>
>
> - --
> Jeremy Olexa
> (olexa@cs.umn.edu)
> Office: EE/CS 1-201
> CS/IT Systems Staff
> University of Minnesota
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFEhK5QFN7pD9kMi/URAjUOAJ9R8k2MFroPIARt416uCTYVBYKg+wCfdETZ
> 12tlmhjYe7G2FkI0lJvw/lI=
> =KafU
> -----END PGP SIGNATURE-----
> --
> gentoo-user@gentoo.org mailing list
>
>


OK. Thanks all, now it is working.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH authentication attempts - serious issue

[Steven Susbauer]

On Mon, 5 Jun 2006, Oliver Schmidt wrote:

> > Hi,
> >
> >    today when I was checking the server log I got many external
> > attempts to connect to my sshd service:
> >
> > ...
> > Jun  5 05:09:45 embedded sshd[4740]: Invalid user barbara from x.y.w.z
> > Jun  5 05:09:46 embedded sshd[4742]: Invalid user barb from x.y.w.z
> > Jun  5 05:09:48 embedded sshd[4744]: Invalid user barbie from x.y.w.z
> > Jun  5 05:09:50 embedded sshd[4746]: Invalid user barbra from x.y.w.z
> > Jun  5 05:09:51 embedded sshd[4748]: Invalid user barman from x.y.w.z
> > Jun  5 05:09:53 embedded sshd[4750]: Invalid user barney from x.y.w.z
> > ...
> >
> > this seems to be a brute force attack, but one thing that worried me
> > is why sshd didn't disconnect the remote host after 3 unsuccessful
> > attemps? If we see in the log, there are many attemps with time
> > interval between attemps of 2 or 3 seconds meaning that the sshd
> > didn't disconnect the remote host after 3 attempts.
> >  So, first, Am I thinking correct about the sshd attempts?
> >  Second, how can I setup sshd or the entire system to permit just 2 or
> > 3 attempts of authentication? I was checking the /etc/login.defs file
> > and I see the following option:
> >
>
> Try use Denyhosts ... no problem with bruteforce attacks anymore. Denyhosts
> add the IP of the attacker to the /etc/hosts.deny file.
> Install it with:
> ACCEPT_KEYWORDS="~x86" emerge denyhosts
> and add to your /etc/crontab
> */10 * * * * root python /usr/bin/denyhosts -c /etc/denyhosts.conf
>
> Use it now for more then a year... its perfect to block bruteforce attacks.
>
> cheers
> Oli
>
>
>

Agreed, DenyHosts works great, even sends me an email when it adds an
address. DenyHosts can also be configured to watch ftp server logs.

You don't need to run it from a cron script (though you certainly can),
there is an init script created on install that works just fine too.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH authentication attempts - serious issue

[Uwe Thiem]

On 05 June 2006 16:06, Leandro Melo de Sales wrote:
> Hi,
>
>    today when I was checking the server log I got many external
> attempts to connect to my sshd service:
>
> ...
> Jun  5 05:09:45 embedded sshd[4740]: Invalid user barbara from x.y.w.z
> Jun  5 05:09:46 embedded sshd[4742]: Invalid user barb from x.y.w.z
> Jun  5 05:09:48 embedded sshd[4744]: Invalid user barbie from x.y.w.z
> Jun  5 05:09:50 embedded sshd[4746]: Invalid user barbra from x.y.w.z
> Jun  5 05:09:51 embedded sshd[4748]: Invalid user barman from x.y.w.z
> Jun  5 05:09:53 embedded sshd[4750]: Invalid user barney from x.y.w.z
> ...
>
> this seems to be a brute force attack, but one thing that worried me
> is why sshd didn't disconnect the remote host after 3 unsuccessful
> attemps? If we see in the log, there are many attemps with time
> interval between attemps of 2 or 3 seconds meaning that the sshd
> didn't disconnect the remote host after 3 attempts.
>  So, first, Am I thinking correct about the sshd attempts?
>  Second, how can I setup sshd or the entire system to permit just 2 or
> 3 attempts of authentication? I was checking the /etc/login.defs file
> and I see the following option:
>
> #
> # Max number of login retries if password is bad
> #
> LOGIN_RETRIES           3
>
> but why this didn't work for the above connection attempts?

Because it wasn't a bad password. It never got to that stage. ;-)

Uwe

-- 
Mark Twain: I rather decline two drinks than a German adjective.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH authentication attempts - serious issue

[Etaoin Shrdlu]

On Monday 5 June 2006 17:06, Leandro Melo de Sales wrote:
> Hi,
>
>    today when I was checking the server log I got many external
> attempts to connect to my sshd service:
>
> ...
> Jun  5 05:09:45 embedded sshd[4740]: Invalid user barbara from x.y.w.z
> Jun  5 05:09:46 embedded sshd[4742]: Invalid user barb from x.y.w.z
> Jun  5 05:09:48 embedded sshd[4744]: Invalid user barbie from x.y.w.z
> Jun  5 05:09:50 embedded sshd[4746]: Invalid user barbra from x.y.w.z
> Jun  5 05:09:51 embedded sshd[4748]: Invalid user barman from x.y.w.z
> Jun  5 05:09:53 embedded sshd[4750]: Invalid user barney from x.y.w.z
> ...
>
> this seems to be a brute force attack, but one thing that worried me
> is why sshd didn't disconnect the remote host after 3 unsuccessful
> attemps? If we see in the log, there are many attemps with time
> interval between attemps of 2 or 3 seconds meaning that the sshd
> didn't disconnect the remote host after 3 attempts.

AFAIK, sshd disconnects when 3 incorrect passwords are tried _for the 
same account_.

>  So, first, Am I thinking correct about the sshd attempts?
>  Second, how can I setup sshd or the entire system to permit just 2 or
> 3 attempts of authentication? I was checking the /etc/login.defs file
> and I see the following option:
>
> #
> # Max number of login retries if password is bad
> #
> LOGIN_RETRIES           3
>
> but why this didn't work for the above connection attempts?

See above.

At the very least, you should not permit root login from ssh and choose 
very strong passwords for the users that are allowed to login or 
(better) set up public key authentication, although that is not very 
practical if the same users may log in from random hosts. In this case, 
one-time passwords could be useful (google for opie or otpw).

After that, there are many things you can (and should) do. Some examples 
include: changing the port on which the ssh daemon listens (not a very 
effective solution though), using port knocking, using iptables to limit 
the attemps to no more than two or three per minute, use one of the many 
denyhosts/fail2ban/captcha modules out there, and so on. Google is your 
friend here.

HTH
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH authentication attempts - serious issue

[Joseph]

Try port knocking.  It is very effective.
Your ssh port will be closed until you successfully hit certain number
of ports and even though the ssh port will be open only to the IP
address that successfully opened the port all others will see ssh port
as closed.

-- 
#Joseph

On Mon, 2006-06-05 at 12:06 -0300, Leandro Melo de Sales wrote:
> Hi,
> 
>    today when I was checking the server log I got many external
> attempts to connect to my sshd service:
> 
> ...
> Jun  5 05:09:45 embedded sshd[4740]: Invalid user barbara from x.y.w.z
> Jun  5 05:09:46 embedded sshd[4742]: Invalid user barb from x.y.w.z
> Jun  5 05:09:48 embedded sshd[4744]: Invalid user barbie from x.y.w.z
> Jun  5 05:09:50 embedded sshd[4746]: Invalid user barbra from x.y.w.z
> Jun  5 05:09:51 embedded sshd[4748]: Invalid user barman from x.y.w.z
> Jun  5 05:09:53 embedded sshd[4750]: Invalid user barney from x.y.w.z
> ...

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH authentication attempts - serious issue

[Leandro Melo de Sales]

Yes, but how can I do it?

2006/6/5, Joseph <syscon@interbaun.com>:
> Try port knocking.  It is very effective.
> Your ssh port will be closed until you successfully hit certain number
> of ports and even though the ssh port will be open only to the IP
> address that successfully opened the port all others will see ssh port
> as closed.
>
> --
> #Joseph
>
> On Mon, 2006-06-05 at 12:06 -0300, Leandro Melo de Sales wrote:
> > Hi,
> >
> >    today when I was checking the server log I got many external
> > attempts to connect to my sshd service:
> >
> > ...
> > Jun  5 05:09:45 embedded sshd[4740]: Invalid user barbara from x.y.w.z
> > Jun  5 05:09:46 embedded sshd[4742]: Invalid user barb from x.y.w.z
> > Jun  5 05:09:48 embedded sshd[4744]: Invalid user barbie from x.y.w.z
> > Jun  5 05:09:50 embedded sshd[4746]: Invalid user barbra from x.y.w.z
> > Jun  5 05:09:51 embedded sshd[4748]: Invalid user barman from x.y.w.z
> > Jun  5 05:09:53 embedded sshd[4750]: Invalid user barney from x.y.w.z
> > ...
>
> --
> gentoo-user@gentoo.org mailing list
>
>


-- 
Leandro Melo de Sales.
Computer Science Student
Laboratório de Sistemas Distribuídos - www.lsd.ufcg.edu.br
Laboratório de Sistemas Embarcados e Computação Pervasiva -
www.embeddedacademy.org
Universidade Federal de Campina Grande - UFCG
Campina Grande - PB - Brasil

"Sometimes people fall in love, but a little bit of them really love
or find a truth love. Or sometimes they find it but for some reason
they let love pass without live it intensely. This is the free-well."

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH authentication attempts - serious issue

[Leandro Melo de Sales]

2006/6/5, Leandro Melo de Sales <leandroal@gmail.com>:
> Yes, but how can I do it?
>
> 2006/6/5, Joseph <syscon@interbaun.com>:
> > Try port knocking.  It is very effective.
> > Your ssh port will be closed until you successfully hit certain number
> > of ports and even though the ssh port will be open only to the IP
> > address that successfully opened the port all others will see ssh port
> > as closed.
> >
> > --
> > #Joseph
> >
> > On Mon, 2006-06-05 at 12:06 -0300, Leandro Melo de Sales wrote:
> > > Hi,
> > >
> > >    today when I was checking the server log I got many external
> > > attempts to connect to my sshd service:
> > >
> > > ...
> > > Jun  5 05:09:45 embedded sshd[4740]: Invalid user barbara from x.y.w.z
> > > Jun  5 05:09:46 embedded sshd[4742]: Invalid user barb from x.y.w.z
> > > Jun  5 05:09:48 embedded sshd[4744]: Invalid user barbie from x.y.w.z
> > > Jun  5 05:09:50 embedded sshd[4746]: Invalid user barbra from x.y.w.z
> > > Jun  5 05:09:51 embedded sshd[4748]: Invalid user barman from x.y.w.z
> > > Jun  5 05:09:53 embedded sshd[4750]: Invalid user barney from x.y.w.z
> > > ...
> >
> > --
> > gentoo-user@gentoo.org mailing list
> >
> >


I mean, setup it!
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH authentication attempts - serious issue

[Petr Uzel]

[-- Attachment #1: Type: text/plain, Size: 1445 bytes --]

Dne pondělí 05 červen 2006 19:12 Leandro Melo de Sales napsal(a):
> 2006/6/5, Leandro Melo de Sales <leandroal@gmail.com>:
> > Yes, but how can I do it?
> >
> > 2006/6/5, Joseph <syscon@interbaun.com>:
> > > Try port knocking.  It is very effective.
> > > Your ssh port will be closed until you successfully hit certain number
> > > of ports and even though the ssh port will be open only to the IP
> > > address that successfully opened the port all others will see ssh port
> > > as closed.
> > >
> > > --
> > > #Joseph
> > >
> > > On Mon, 2006-06-05 at 12:06 -0300, Leandro Melo de Sales wrote:
> > > > Hi,
> > > >
> > > >    today when I was checking the server log I got many external
> > > > attempts to connect to my sshd service:
> > > >
> > > > ...
> > > > Jun  5 05:09:45 embedded sshd[4740]: Invalid user barbara from
> > > > x.y.w.z Jun  5 05:09:46 embedded sshd[4742]: Invalid user barb from
> > > > x.y.w.z Jun  5 05:09:48 embedded sshd[4744]: Invalid user barbie from
> > > > x.y.w.z Jun  5 05:09:50 embedded sshd[4746]: Invalid user barbra from
> > > > x.y.w.z Jun  5 05:09:51 embedded sshd[4748]: Invalid user barman from
> > > > x.y.w.z Jun  5 05:09:53 embedded sshd[4750]: Invalid user barney from
> > > > x.y.w.z ...
> > >
> > > --
> > > gentoo-user@gentoo.org mailing list
>
> I mean, setup it!

Hi,

this should help you : http://gentoo-wiki.com/HOWTO_Port_Knocking
Works well

Petr

[-- Attachment #2: Type: application/pgp-signature, Size: 191 bytes --]

Re: [gentoo-user] SSH authentication attempts - serious issue

[Joseph]

Yes, Petr is right.
On my system I have port knocking running on a firewall FreeSCO.
Freesco has a port-knocking module that you load.
That is the best setup.

-- 
#Joseph

> 
> this should help you : http://gentoo-wiki.com/HOWTO_Port_Knocking
> Works well
> 
> Petr

-- 
gentoo-user@gentoo.org mailing list

RE: [gentoo-user] SSH authentication attempts - serious issue

[CR Little]

Do Programs like denyhosts work with other protocols? Such as POP or
FTP?

-----Original Message-----
From: Joseph [mailto:syscon@interbaun.com] 
Sent: Monday, June 05, 2006 11:32 AM
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] SSH authentication attempts - serious issue

Try port knocking.  It is very effective.
Your ssh port will be closed until you successfully hit certain number
of ports and even though the ssh port will be open only to the IP
address that successfully opened the port all others will see ssh port
as closed.

-- 
#Joseph

On Mon, 2006-06-05 at 12:06 -0300, Leandro Melo de Sales wrote:
> Hi,
> 
>    today when I was checking the server log I got many external
> attempts to connect to my sshd service:
> 
> ...
> Jun  5 05:09:45 embedded sshd[4740]: Invalid user barbara from x.y.w.z
> Jun  5 05:09:46 embedded sshd[4742]: Invalid user barb from x.y.w.z
> Jun  5 05:09:48 embedded sshd[4744]: Invalid user barbie from x.y.w.z
> Jun  5 05:09:50 embedded sshd[4746]: Invalid user barbra from x.y.w.z
> Jun  5 05:09:51 embedded sshd[4748]: Invalid user barman from x.y.w.z
> Jun  5 05:09:53 embedded sshd[4750]: Invalid user barney from x.y.w.z
> ...

-- 
gentoo-user@gentoo.org mailing list




This message contains information from SourceLink - Madison 
which may be confidential and privileged.  If you are not an 
intended recipient, please refrain from any disclosure, copying, 
distribution, or use of this information and note that such 
actions are prohibited.  If you have received this transmission 
in error, please notify by email it-support@sourcelinkmadison.com.


-- 
gentoo-user@gentoo.org mailing list