MORE SSH Hacking: heads-up

Dave Rinker drinker at dsrtech.com
Mon Aug 9 05:06:10 UTC 2004 

Unfortunately I cannot lock my SSH source hosts as they are always
different and I got tired
of constantly blocking at my firewall.

Worked up swatch this config below to modify the host IPTABLES and drop
traffic if root was attempted
or if a non existent user was provided.

For those not familiar with swatch you can get it here:
http://swatch.sourceforge.net/
Make sure you get 3.0.8 because "exec" was not working for me in the
newer versions.

good luck


#start
 
watchfor /sshd.*: Failed password for root from/
        mail=myaddress,subject=Root_Login_Attempt
        exec /sbin/iptables -I INPUT -i eth0 -s $11 -d 0/0 -p tcp
--dport 22 -j DROP
 
watchfor /sshd.*: Illegal user/
        mail=myaddress,subject=Illegal_user_attempt
        exec /sbin/iptables -I INPUT -i eth0 -s $10 -d 0/0 -p tcp
--dport 22 -j DROP
 
#end




On Wed, 2004-08-04 at 13:45, Jack Bowling wrote:

> On Wed, Aug 04, 2004 at 11:54:03AM -0400, ne... wrote:
> > On Aug 4, 2004 at 11:03, Matt Morgan in a soothing rage wrote:
> > 
> > [...]
> > >So use hosts.allow instead, and specify the few particular hosts that 
> > >are allowed to attempt to connect. Everyone else will be summarily 
> > >rejected. (Firewalling the world is not a bad option, either).
> > Does SSH use tcp wrappers on FC? If no, then modifying hosts.allow
> > and/or hosts.deny would be futile. If you have less than three
> > users connecting to your machine using ssh, I would just add
> > those users to the AllowUsers directive, else create a group and
> > add the users to it then use the AllowGroups directive.
> 
> Yes, FC has tcp wrapper-enabled sshd. Not using the hosts.access files to
> add another layer of security is foolhardy, IMO.
> 
> 
> -- 
> Jack Bowling
> mailto: jbinpg at shaw.ca
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040809/b5413ecb/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040809/b5413ecb/attachment-0001.sig>

More information about the fedora-list mailing list