Re: how to react on ssh attacks?

From: Stuart Sears (stuart_at_sjsears.com)
Date: 10/24/05

  • Next message: Rich Stanford: "Re: how to react on ssh attacks?" 
    Date: Mon, 24 Oct 2005 13:04:18 +0100
To: For users of Fedora Core releases <fedora-list@redhat.com>

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Stephanus Fengler wrote:
    > Dear list readers,
    >
    > I know that this is not a security list but it seems a good starting
    > point for me as an ordinary user to ask whether someone can point me in
    > the right direction.
    >
    > I recently checked my log files of my ssh service (so far as I
    > understand this is my only service open) and realized that from the very
    > same IP I got a lot of request trying to guess a user name on my system,
    > I assume. Since login name always changes in even chronological
    > alphabetical order.
    >
    > So shell I worry about it or do I need to do some countermeasures?

    you have already received some excellent advice on this topic, but might
     I add the following:
    these attacks will get more sophisticated as time goes on - the
    usernames are just a dictionary based attack and eventually they may get
    a username to work...
    if you always ssh into your system from specific machines, you could
    force the use of public-key authentication on your server, so that even
    if the atttackers guess the correct passwords for your system, they will
    be useless without the relevant private key on the attacking system...
    just for personal security/peace of mind, I would also change the
    Protocol 2,1 line in /etc/ssh/sshd_config to say Protocol 2 and then
    restart the daemon as before. ssh protocol 1 has known exploits.

    - --
    Stuart Sears RHCE RHCX
    printk("Penguin %d is stuck in the bottle.\n", i);
            linux-2.0.38/arch/sparc/kernel/smp.c
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (GNU/Linux)
    Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

    iD8DBQFDXM3BamPtx1brPQ4RAuE6AJ408+4Tcaycr8VdNszEHNigMpDh/QCfVyM2
    4xrXMZfXMLlknli3tNAzaus=
    =A8hQ
    -----END PGP SIGNATURE----- 

    -- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
  • Next message: Rich Stanford: "Re: how to react on ssh attacks?"

    Relevant Pages

    • [NEWS] SSH Protocol Weakness Vulnerability (MITM)
      ... A weakness in the backward compatibility of the SSH Protocol has been ... SSH version 1.0) is unlikely to have the host key for the other protocol ... The SSH daemons advertise one of two major versions, ...
      (Securiteam)
    • Re: [SLE] stopping dictionary attacks on sshd (a tcp_wrappers problem)
      ... ssh login does not work when one has just booted, until jifie gets 0 and starts incrementing, then it works. ... We need open ssh connections from the outside. ... We want to defend against these attacks in a reasonable way. ... logsurfer is used because I don't know a better log watching and event ...
      (SuSE)
    • SUMMARY: SSH 2.5.2p2 on Tru64 4.0g
      ... SSH is very particular about the permissions on the $HOME/.ssh ... Always pay particular attention the the ssh SERVERs protocol usage. ... when only using the identity.pub or rsa key. ... file on the remote host to reflect the host name without domain that was ...
      (Tru64-UNIX-Managers)
    • RE: Deliberately create slow SSH response?
      ... Asunto: RE: Deliberately create slow SSH response? ... The brute force attacks are most likely automated, ... Have you thought about limiting access to the service to only certain IPs? ...
      (SSH)
    • Fwd: CERT Advisory CA-2002-36 Multiple Vulnerabilities in SSH Implementations
      ... Multiple vendors' implementations of the secure shell (SSH) transport ... The vulnerabilities affect SSH ... SSH clients can reduce the risk of attacks by only connecting to ...
      (Bugtraq)