Ruminations on an SSH attack

Ted Roche tedroche at tedroche.com
Mon Dec 19 09:04:01 EST 2005


Agreed with your settings, and adding a Port setting of other than  
the default port 22 eliminates the log bloat from script kiddies.

Ted Roche
Ted Roche & Associates, LLC
http://www.tedroche.com


On Dec 18, 2005, at 8:48 PM, Bill McGonigle wrote:

> On Dec 18, 2005, at 14:46, Bill Sconce wrote:
>
>> It didn't succeed, so far as I've
>> been able to tell)...
>
> I sleep better at night knowing my servers have these lines in them:
>
> Protocol 2
> PermitRootLogin no
> IgnoreRhosts yes
> PasswordAuthentication no
> AllowUsers ...
>
> These settings aren't right for everybody, but they are very right  
> for most people I encounter and thwart most dictionary attacks,  
> even against weak passwords.  I do work at some places with insane  
> password policies, and this helps a bit.
>
> The one time I did have to clean up after an ssh break was before I  
> adopted this policy, exploited a weak user's password, and,  
> fortunately was just limited to a compromise of that one account -  
> an ircd was running and a rootkit wasn't installed (though  
> certainty on the last point is always in question until you can do  
> offline forensics).
>
>> OK, thousands of attempted logins - that's what a dictionary  
>> attack IS.
>
> There have also been attempts to find OpenSSL vulnerabilities with  
> scripts that look like a dictionary attack (the feint).
>
> -Bill
>
> -----
> Bill McGonigle, Owner           Work: 603.448.4440
> BFC Computing, LLC              Home: 603.448.1668
> bill at bfccomputing.com           Cell: 603.252.2606
> http://www.bfccomputing.com/    Page: 603.442.1833
> Blog: http://blog.bfccomputing.com/
> VCard: http://bfccomputing.com/vcard/bill.vcf
>
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss




More information about the gnhlug-discuss mailing list