[olug] attempted attacks

Vincent.Raffensberger at dtn.com Vincent.Raffensberger at dtn.com
Tue Mar 8 17:09:26 UTC 2005 

You may also want to set some restrictions in your sshd config file. 
Here's an example of some of those settings:

/etc/ssh/sshd_config:
MaxAuthTries 2
AllowGroups wheel login
MaxStartups 5:30:30

Read below for explanations of some of these.  MaxStartups is a nice one.

SSHD_CONFIG(5)              BSD File Formats Manual SSHD_CONFIG(5)
     AllowGroups
             This keyword can be followed by a list of group name 
patterns,
             separated by spaces.  If specified, login is allowed only for
             users whose primary group or supplementary group list matches 
one
             of the patterns.  '*' and '?' can be used as wildcards in the
             patterns.  Only group names are valid; a numerical group ID 
is
             not recognized.  By default, login is allowed for all groups.
     AllowUsers
             This keyword can be followed by a list of user name patterns,
             separated by spaces.  If specified, login is allowed only for
             user names that match one of the patterns.  '*' and '?' can 
be
             used as wildcards in the patterns.  Only user names are 
valid; a
             numerical user ID is not recognized.  By default, login is
             allowed for all users.  If the pattern takes the form 
USER at HOST
             then USER and HOST are separately checked, restricting logins 
to
             particular users from particular hosts.
     DenyGroups
             This keyword can be followed by a list of group name 
patterns,
             separated by spaces.  Login is disallowed for users whose 
primary
             group or supplementary group list matches one of the 
patterns.
             '*' and '?' can be used as wildcards in the patterns.  Only 
group
             names are valid; a numerical group ID is not recognized.  By
             default, login is allowed for all groups.
     DenyUsers
             This keyword can be followed by a list of user name patterns,
             separated by spaces.  Login is disallowed for user names that
             match one of the patterns.  '*' and '?' can be used as 
wildcards
             in the patterns.  Only user names are valid; a numerical user 
ID
             is not recognized.  By default, login is allowed for all 
users.
             If the pattern takes the form USER at HOST then USER and HOST 
are
             separately checked, restricting logins to particular users 
from
             particular hosts.
     MaxAuthTries
             Specifies the maximum number of authentication attempts 
permitted
             per connection.  Once the number of failures reaches half 
this
             value, additional failures are logged.  The default is 6.
    MaxStartups
             Specifies the maximum number of concurrent unauthenticated 
con-
             nections to the sshd daemon.  Additional connections will be
             dropped until authentication succeeds or the LoginGraceTime
             expires for a connection.  The default is 10.

             Alternatively, random early drop can be enabled by specifying 
the
             three colon separated values ``start:rate:full'' (e.g.,
             "10:30:60").  sshd will refuse connection attempts with a 
proba-
             bility of ``rate/100'' (30%) if there are currently ``start''
             (10) unauthenticated connections.  The probability increases 
lin-
             early and all connection attempts are refused if the number 
of
             unauthenticated connections reaches ``full'' (60).




Christopher Cashell <topher at zyp.org> 
Sent by: olug-bounces at olug.org
03/08/2005 10:48 AM
Please respond to
Omaha Linux User Group <olug at olug.org>


To
olug at olug.org
cc

Subject
Re: [olug] attempted attacks






At Tue, 08 Mar 05, Unidentified Flying Banana Noel Leistad, said:
> hosts.deny for whatever the reported whois network is. Harsh, but 
effective.

Or, slightly better yet:

sudo iptables -A INPUT -s EVIL_IP_GOES_HERE -j DROP

Or, even better than that, go with active protection.  There are a
handful of applications out there that can actively "defend" your
machine when certain activities are detected.  Examples include adding a
temporary iptables rule blocking access to an IP address when excessive
scanning is detected, or adding a temporary iptables rule blocking access
when excessive failed logins are detected, etc.

-- 
| Christopher
+------------------------------------------------+
| Here I stand.  I can do no other.              |
+------------------------------------------------+

_______________________________________________
OLUG mailing list
OLUG at olug.org
http://lists.olug.org/mailman/listinfo/olug

More information about the OLUG mailing list