Re: Cracking attempt dilemma

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Richard Whitney
Date:  
To: plug-discuss
Subject: Re: Cracking attempt dilemma
Quoting June Tate <>:

>
> der.hans wrote:
> |
> | Having a firewall is a good thing :). Make sure you're locking out
> | everything that doesn't need to be. Most people probably only need to
> | allow incoming TCP traffic on port 22. Drop everything else.
>
> Well, I do have a few other services running on this box that I'd like
> to keep open. In particular, I've kept http, ftp (control only), ssh,
> smtp, and imaps open, and I'm aggressively dropping and logging any
> other traffic on the outer interface.
>
> | If you're getting lots of traffic to SSH, which seems to be the case, then
> | maybe you can either lock it down to only a few IPs that you might come
> | from and/or setup a port knocking daemon.
> |
> | knockd - Small port-knock daemon
> | Homepage: http://www.zeroflux.org/knock/
>
> I've actually thought about this. Since the only people using ssh on the
> system is me and my brother, I was thinking about locking it down to
> internal IPs and his one external address.
>
> Port knocking would be a good idea, if and only if my one other user (my
> brother) was a little more computer knowledgable and ran Linux instead
> of Windows. Neat idea, though.
>
> | A co-worker has been going through this on people who've been DoSsing her.
> | She claims to know who it is and have proof of it. The attacker's mom
> | apparently works at his ISP, so the ISP hasn't done anything despite
> | repeated attempts.
> |
> | If someone is attacking you from another country our gov't won't care
> | unless you're losing lots of money. Lots of money from their perspective,
> | not from ours.
>
> <sarcasm>Oh, goodie.</sarcasm>
> So then it's essentially left up to me to deal with this guy. So should
> I be blacklisting any IP that attempts to break in? For the most part my
> security _seems_ to be okay -- the guy has been attempting to break in
> for over a week now, and he still hasn't gotten in, so his attacks are
> really becoming nothing more than a really pathetic DoS.
>
> Any idea if there's a way to make ssh act like a tarpit? Eg: if you fail
> to login from the same IP more than three times, each successive time
> after that SSH takes exponentially longer to respond with the password
> prompt.
>

Look in your /etc/hosts.allow file

Mine:

# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
sshd: xx.xx.xx.xx : ALLOW
sshd: xx.xx.xx.xx : ALLOW
sshd: xx.xx.xx.xx : ALLOW
#sshd: xxx.xxx.xxx.xxx : ALLOW


everybody else is denied access via ssh thus:

/etc/hosts.deny:

sshd: ALL : DENY


Hope that helps

Richard


>
> | That is not the complete answer, but it is part of a balance breakfast.
>
> Well, it's like what I've heard other netadmins say: security is a
> process, not a state of being. Thanks for the help -- you've given me a
> couple of ideas I'm going to try.
>
> - --
> June Tate * http://www.theonelab.com *
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>



R. Whitney
Transcend Development
"Producing the next phase of your internet presence"
http://xend.net
Premium Quality Web Hosting
http://hosting.xend.net
rw AT xend.net
Net Binder http://netbinder.net
310-943-6498
602-288-5340

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss