Ruminations on an SSH attack

Tom Buskey tom at buskey.name
Mon Dec 19 13:05:01 EST 2005 

On 12/19/05, Bruce Dawson <jbd at codemeta.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Bill Sconce wrote:
>
> |...
> |I'll check into DenyHosts. And each of the other tips. Thank you all.
> |And perhaps because of this list someone else will be saved the whole
> hassle.
>
> Beware of DenyHosts... A long, long time ago, at an ISP very far away,
> I tried doing this (and this was before the days of Protocol Version
> 2, but that's another story ;-).
>
> It turned out a host I had denied was the IT director's home IP
> address. Evidently his machine was compromised and he wasn't aware of
> it, and someone was using it to gain access to his ISP network (which
> is how I discovered it and got into this situation).
>
> However, once he scrubbed his system and tried to use it to work at
> home, he couldn't get in because I had denied his IP w/tcpwrappers. It
> took a while before I realized who the person on the other end of the
> phone was, what the real problem was, and removed the /etc/hosts.deny
> entry.


DenyHosts (and sshblack) have timeouts.  After some time, the ip is allowed
back.

DenyHosts uses /etc/hosts.deny and works on most Unixen with tcpwrappers,
sshblack uses iptables/ipchains and is limited to linux.

Also, you need to beware of ISPs who use proxy servers - like AOL,
> Yahoo, PowerNet, ... Blocking one of those can block a lot of
> legitimate users.


Proxy ssh servers?  I can't imagine too many ISPs proxying ssh.

I have used something that did ssh proxying over http.  It had lots of
latency but was usable.



I wish there was something like RBL that listed bogons so I could
> block them. A lot of attacks lately have been coming from them.
>
> - --Bruce
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFDpt0t/TBScWXa5IgRApMrAJ957xLhwA05JF8tM/mGKUyigU8JQACgrVx3
> Ao1DlNOAjlqAZuccsngUj6k=
> =Hd4A
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
>



--
A strong conviction that something must be done is the parent of many bad
measures.
  - Daniel Webster
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20051219/5559b6c4/attachment.html

More information about the gnhlug-discuss mailing list