LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-06-2007, 06:15 PM   #1
reggie
LQ Newbie
 
Registered: Dec 2002
Distribution: Slackware
Posts: 16

Rep: Reputation: 0
sshd and hosts.deny


Hi,

I have a small concern.

Lately there has been many attempts to compromise my Linux shell (and FTP storage) from all over the world by repeatedly trying different usernames and passwords. What I did was take, for instance, "58.1.248.201" and added the line:

ALL:58.

to /etc/hosts.deny. I decided to block the entire "block", because there are multiple IP addresses from the same network. I am behind a router and can close the port at anytime but I have a lot of schoolwork on this machine and access it from there and other places. So I added more like this and rebooted (just as an added extra precaution). Today that same IP(s) was found in my messages like so:

Code:
Mar 6 08:09:46 leo sshd[648]: Did not receive identification string from 58.1.248.201
Mar 6 05:53:10 leo sshd[587]: Failed password for root from 140.116.214.65 port 36688 ssh2
Here is where I got confused. I have a long list and this is the first time I've seen these addresses in the log after adding the IP(s) to hosts.deny. It is only these two, none of the others show up here. Please give me your feedback on this. I'm just an average Linux user, no expert (but would like to be one day). I "thought" I had this understood right but I'm missing something, thanks for your input.

I am using Slackware 11.

For anybody else out there with a Linux box at home, I would highly advise (as always but now more than ever) to implement a very strong password and close any ports you aren't using with a router/firewall. I have a list of 100 to 200 attempts from about 50 different IP addresses ranging from China, India, U.S., France and more and I'm just a slackish home user. Secure your information or it will be compromised! I'm on a cheap Cable network though which probably has a lot to do with it.

Last edited by reggie; 03-06-2007 at 06:23 PM.
 
Old 03-06-2007, 10:43 PM   #2
kilgoretrout
Senior Member
 
Registered: Oct 2003
Posts: 3,000

Rep: Reputation: 392Reputation: 392Reputation: 392Reputation: 392
There are many tools/techniques to harden ssh against these types of dictionary attacks which, unfortunately, are becoming all too common.
Here's an article describing one such tool, but the reader comments go into a variety of other tools/approaches and are worth a serious look:

http://applications.linux.com/applic...tid=100&tid=35
 
Old 03-07-2007, 09:00 PM   #3
nmh+linuxquestions.o
Member
 
Registered: Feb 2007
Posts: 135

Rep: Reputation: 15
I would like to point out a few 'local' information sources as well:
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
/etc/hosts.deny/hosts.allow have no effect on sshd access bganesh Linux - Security 4 05-04-2006 08:06 PM
Slackware 10.0 and hosts.deny in reguards SSHD Smillie Slackware 10 03-24-2005 10:53 AM
hosts.allow & hosts.deny question... jonc Linux - Security 9 03-05-2005 09:41 PM
Adding shell commands to hosts.deny and hosts.allow ridertech Linux - Security 3 12-29-2003 03:52 PM
hosts.deny and hosts.allow defaults? gui10 Linux - Security 5 12-20-2001 01:57 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:44 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration