Ruminations on an SSH attack

Bruce Dawson jbd at codemeta.com
Mon Dec 19 11:18:00 EST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bill Sconce wrote:

|...
|I'll check into DenyHosts. And each of the other tips. Thank you all.
|And perhaps because of this list someone else will be saved the whole
hassle.

Beware of DenyHosts... A long, long time ago, at an ISP very far away,
I tried doing this (and this was before the days of Protocol Version
2, but that's another story ;-).

It turned out a host I had denied was the IT director's home IP
address. Evidently his machine was compromised and he wasn't aware of
it, and someone was using it to gain access to his ISP network (which
is how I discovered it and got into this situation).

However, once he scrubbed his system and tried to use it to work at
home, he couldn't get in because I had denied his IP w/tcpwrappers. It
took a while before I realized who the person on the other end of the
phone was, what the real problem was, and removed the /etc/hosts.deny
entry.

Also, you need to beware of ISPs who use proxy servers - like AOL,
Yahoo, PowerNet, ... Blocking one of those can block a lot of
legitimate users.

I wish there was something like RBL that listed bogons so I could
block them. A lot of attacks lately have been coming from them.

- --Bruce

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDpt0t/TBScWXa5IgRApMrAJ957xLhwA05JF8tM/mGKUyigU8JQACgrVx3
Ao1DlNOAjlqAZuccsngUj6k=
=Hd4A
-----END PGP SIGNATURE-----




More information about the gnhlug-discuss mailing list