[SATLUG] /var/log/secure: ssh attack
joseph speigle
joe.speigle at jklh.us
Sun Sep 5 23:25:13 CDT 2004
to whom it may concern,
>
> 1) Shut off sshv1 if not already off.. It's weak and has vulnerabilities:
> # cat /etc/ssh/sshd_config
> ...
> #Port 22
> Protocol 2
> #Protocol 2,1
> #ListenAddress 0.0.0.0
> ...
>
> (sshv1 CRC exploit is actually how trinity hacked into the Matrix in reloaded:
> http://www.insecure.org/nmap/nmap_inthenews.html
> Guess they don't even patch against 200 year old exploits.. ;)
>
don't forget they were stuck in the 21st century, so the exploit may not have been that old.
> Unless... getting portscanned by trinity is appealing to you.. ;)
> no.. never mind..
> (not a word Craig!)...
>
> next...
>
> 2) Block all SSH access accept from your "Ok" IP range w/iptables
> ("/etc/sysconfig/iptables" in RedHat systems):
> -A INPUT -p tcp -s 192.168.0.0/23 -d 0/0 -m tcp --dport 22 -j ACCEPT
> ...
> -A input -p tcp -s 0/0 -d 0/0 -j REJECT
>
> (warning.. this last one blocks is all... only use to lock out everything out
> you don't allow in. Also... stop using hosts.allow/deny after turning this
> on)
>
> 3) I recommend running portsentry along with your iptables:
> http://sourceforge.net/projects/sentrytools/
>
> This'll keep portscanning kiddies off your back.
>
> Here's an article I wrote on it:
> http://www.unixreview.com/documents/s=7459/uni1030462740022/
>
> (if anyone sees any typos.. let me know.. my glassea are proken, it's 3am, and
> I'm a bit groggy...)
>
> Cheers,
I think it is worthwhile to mention that name-based attacks (trying to guess username/password combos) or faulty setup configs are usually brute-force attacks by a technologically naive person, unlike the attacks which you never know you were infiltrated, whichIIRC are buffer exploits, and which drop to a root shell without writing to any log files.
joe,
"just another san antonio linux group member"
More information about the Satlug
mailing list