LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-14-2004, 11:38 AM   #76
lord_zoo
Member
 
Registered: Sep 2003
Location: Buenos Aires - Argentina
Posts: 30

Rep: Reputation: 15

That's why I think this could be a honeypot.

Anyway, I don't think a hacker could want to waste his time on something that suspicious.

I don't know.
 
Old 11-14-2004, 12:11 PM   #77
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
Of course, they could be IP spoofing the IP of a honeypot. Wouldn't that be fun?
 
Old 11-14-2004, 04:48 PM   #78
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Original Poster
Rep: Reputation: 57
Quote:
Originally posted by Matir
...very suspicious, if you ask me. Or stupid. One of the two.
You have to keep in mind that the attack could be coming from someone compromised by this very same attack. So for someone with a root password of "root", I wouldn't be surprised to see something equally as stupid ... like having basically every service known to man turned on
 
Old 11-21-2004, 01:30 PM   #79
mardanian
Member
 
Registered: Mar 2004
Distribution: Fedora
Posts: 254

Rep: Reputation: 30
I thinks changing sshd listening port other then 22 would helps?
protecting from those stupid scanner tries to root every box on earth
 
Old 12-04-2004, 01:20 PM   #80
emetib
Member
 
Registered: Feb 2003
Posts: 482

Rep: Reputation: 33
i haven't read this whole thread, but i'm curious about the hosts.allow.

can you specify a mac address to let through, instead of just an ip?
since i'll be using a laptop to access my server in varying locations.

thanks.
 
Old 12-05-2004, 02:52 AM   #81
adjman
LQ Newbie
 
Registered: Sep 2004
Location: Duncton, UK
Distribution: Lubuntu
Posts: 6

Rep: Reputation: 0
MAC Address

Yes, you can indeed specify MAC or Hardware addresses on the firewall for rules :

and would be done something like this

iptables -A INPUT -s any -m mac -mac-source 00:C7:8F:72:14 -j ACCEPT

You need to have compiled mac address matching into your kernel, or loaded the appropriate module.

Please correct me if I'm wrong chaps out there
 
Old 12-05-2004, 04:25 AM   #82
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Original Poster
Rep: Reputation: 57
The problem with using mac addresses is that the machine connecting has to be on the local network due to the fact that mac addresses aren't remotely transmited (in OSI terminology they're utilized on the link layer not the network layer). So if you were connecting remotely over the internet, you couldn't filter based on the remote systems mac address.
 
Old 12-05-2004, 09:30 AM   #83
emetib
Member
 
Registered: Feb 2003
Posts: 482

Rep: Reputation: 33
thank you for that answer. it's what i needed to know.
 
Old 12-15-2004, 12:40 AM   #84
IchBin
Member
 
Registered: Dec 2004
Distribution: Tinysofa Classic
Posts: 75

Rep: Reputation: 15
So does anyone have a script to automatically add this to iptables?
 
Old 12-15-2004, 07:33 PM   #85
jymbo
Member
 
Registered: Jan 2003
Posts: 217

Rep: Reputation: 30
Portsentry will add the offender to hosts.deny AND add a KILLROUTE. 3 caveats though:

1.) You need to run sshd on a differnet port
2.) You need to configure portsentry to monitor port 22
3.) To prevent your routing table from getting flooded, set-up a cronjob to flush it every 2 days or so
 
Old 12-20-2004, 06:36 PM   #86
whoisdevnull
LQ Newbie
 
Registered: Dec 2004
Posts: 5

Rep: Reputation: 0
Tried to read through all the posts here but couldn't make it ;-)

Don't know if this has already been posted, but there is some good information in a few places here.

A good summary: http://dev.gentoo.org/~krispykringle/sshnotes.txt

A blacklisting script: http://www.pettingers.org/code/SSHBlack.html

A look at what they do once they get in: http://www.security.org.sg/gtec/hone...diary=20041102

Sorry if these are dupes of other posts, we're six pages in here!
 
Old 12-20-2004, 09:32 PM   #87
IchBin
Member
 
Registered: Dec 2004
Distribution: Tinysofa Classic
Posts: 75

Rep: Reputation: 15
Thanks, that's some great info there.
 
Old 12-27-2004, 05:55 PM   #88
whoisdevnull
LQ Newbie
 
Registered: Dec 2004
Posts: 5

Rep: Reputation: 0
Here is another one. Haven't looked at it too closely, the script from a few posts above is working fine.


http://linux.newald.de/new_design/login_check.html



-Mike
 
Old 12-27-2004, 06:29 PM   #89
flipcode
Member
 
Registered: Dec 2004
Distribution: Red Hat 9, Fedora Core 3, KNOPPIX
Posts: 33

Rep: Reputation: 15
If you have a static IP you could quite easily block all SSH access via iptables to all but your static IP(s).
 
Old 12-28-2004, 11:15 PM   #90
IchBin
Member
 
Registered: Dec 2004
Distribution: Tinysofa Classic
Posts: 75

Rep: Reputation: 15
well there are a couple of IP's that I would like to give access. Is that possible?
 
  


Reply

Tags
hostsdeny, keys, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh...log files that store the login attempts Bgrad Linux - Networking 4 03-29-2010 09:40 AM
Failed SSH login attempts Capt_Caveman Linux - Security 38 01-03-2006 03:22 PM
ssh login attempts from localhost?! sovietpower Linux - Security 2 05-29-2005 01:19 AM
SSH login attempts - how to get rid of the automated malware? alexberk Linux - Security 1 05-24-2005 04:57 AM
How do I block IP's to prevent unauthorized SSH login attempts? leofoxx Linux - Security 6 05-23-2005 09:36 PM


All times are GMT -5. The time now is 05:40 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration