Re: SSH Cracking Attempts

On Thu, Sep 30, 2004 at 10:08:35AM +0200, Francois Cerbelle wrote: > Le Wed, Sep 29, 2004 at 09:55:59PM +0200, Matthijs ecrit : > > Some applications were named in the article - if you want, I can look > > them up and post the names. > > I am interested too by theses apps. Event if secret based pr

Re: SSH Cracking Attempts

On Fri, Oct 01, 2004 at 07:55:09PM -0400, Ralph Katz wrote: > Date: Fri, 01 Oct 2004 19:55:09 -0400 > From: Ralph Katz <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: SSH Cracking Attempts > > On 10/01/04 03:30, Alexei Chetroi wrote: > ... > > > If

Re: SSH Cracking Attempts

On 10/01/04 03:30, Alexei Chetroi wrote: ... If you are desktop user, do you really need ssh access from everywhere? If you need access to your machine from home, for example, define IP range of your ISP in /etc/hosts.allow for ssh or shutdown sshd entirely. -- Alexei Chetroi Linux, with cool fea

Re: SSH Cracking Attempts

On 10/01/04 00:20, Jacob S wrote: ... At this point I'm thinking tarpitting may provide the more thorough yet tailored approach, but I'm still in the process of doing research on it. And, depending on how it works, these two different approaches may be worth using in parallel. Thanks again, Jacob J

Re: SSH Cracking Attempts

On Thu, Sep 30, 2004 at 08:20:59PM -0400, Ralph Katz wrote: > Date: Thu, 30 Sep 2004 20:20:59 -0400 > From: Ralph Katz <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: SSH Cracking Attempts > > >From: Jacob S ([EMAIL PROTECTED]) > >Subject: SSH Cra

Re: SSH Cracking Attempts

On Thu, 30 Sep 2004 20:20:59 -0400 Ralph Katz <[EMAIL PROTECTED]> wrote: > > From: Jacob S ([EMAIL PROTECTED]) > > Subject: SSH Cracking Attempts > > > > The closest I've come to finding something that would help is this, > but I don't know how to apply this to Debian: > > http://lists.sans.o

Re: SSH Cracking Attempts

From: Jacob S ([EMAIL PROTECTED]) Subject: SSH Cracking Attempts Newsgroups: linux.debian.user Date: 2004-09-29 12:10:24 PST Every other day or so now I'm seeing attempts in my servers logs where some remote machine starts trying to guess a username/password combination to ssh into the server. T

Re: SSH Cracking Attempts

On Thu, Sep 30, 2004 at 12:15:45PM +0100, Jon Dowland wrote: > On Wed, 29 Sep 2004 16:08:53 -0500, Jacob S <[EMAIL PROTECTED]> wrote: > > On Wed, 29 Sep 2004 21:55:59 +0200 > > Matthijs <[EMAIL PROTECTED]> wrote: > > > > > In the dutch computer magazine C't, I read an article a few months ago > >

Re: SSH Cracking Attempts

On Thu, 30 Sep 2004 21:31:46 +0200 Matthijs <[EMAIL PROTECTED]> wrote: > On Wed, 29 Sep 2004 23:10:11 +0200, Jacob S <[EMAIL PROTECTED]> > wrote: > > > On Wed, 29 Sep 2004 21:55:59 +0200 > > Matthijs <[EMAIL PROTECTED]> wrote: > > > > > It's not really what you're asking, but: > > > In the dutch

Re: SSH Cracking Attempts

On Wed, 29 Sep 2004 23:10:11 +0200, Jacob S <[EMAIL PROTECTED]> wrote: > On Wed, 29 Sep 2004 21:55:59 +0200 > Matthijs <[EMAIL PROTECTED]> wrote: > > > It's not really what you're asking, but: > > In the dutch computer magazine C't, I read an article a few months ago > > about protecting your com

Re: SSH Cracking Attempts

In message <[EMAIL PROTECTED]>, Jacob S <[EMAIL PROTECTED]> writes So, my question is this. Is there a way to tell ssh to refuse connections from an ip address after a certain number of failed login attempts, or is snort the only way to do something like this? So far I've been taking the manual ap

Re: SSH Cracking Attempts

On Thu, Sep 30, 2004 at 08:58:26AM -0500, Jacob S wrote: > No, I already have root logins disabled via ssh. Now I'd like to get > something setup that starts blocking ips automatically when it sees a > certain number of failed logins. Not blocking based on username, but > blocking based on ip addr

Re: SSH Cracking Attempts

On Thu, 30 Sep 2004 02:13:02 -0400 Kevin Mark <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Wed, Sep 29, 2004 at 02:09:58PM -0500, Jacob S wrote: > > Every other day or so now I'm seeing attempts in my servers logs > > where some remote machine starts trying

Re: SSH Cracking Attempts

On Wed, 29 Sep 2004 16:08:53 -0500, Jacob S <[EMAIL PROTECTED]> wrote: > On Wed, 29 Sep 2004 21:55:59 +0200 > Matthijs <[EMAIL PROTECTED]> wrote: > > > In the dutch computer magazine C't, I read an article a few months ago > > about protecting your computer using a port knocking system. If I > > r

Re: SSH Cracking Attempts

Le Wed, Sep 29, 2004 at 09:55:59PM +0200, Matthijs ecrit : > Some applications were named in the article - if you want, I can look > them up and post the names. I am interested too by theses apps. Event if secret based protection isn't secure. :-S -- Mourir n'est pas mourir ; mes amis ! C'est c

Re: SSH Cracking Attempts

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Sep 29, 2004 at 02:09:58PM -0500, Jacob S wrote: > Every other day or so now I'm seeing attempts in my servers logs where > some remote machine starts trying to guess a username/password > combination to ssh into the server. They try everything

Tarpit (was Re: SSH Cracking Attempts)

> Sorry to change the subject and sound dumb, but how would 1 go about > setting up a tarbit? any urls ?? > Just go to the netfilter website http://netfilter.org/patch-o-matic/pom-extra.html#pom-extra-TARPIT You'll need to patch the kernel. There is a lot's of other cool things to try in the p

Re: SSH Cracking Attempts

On Wed, Sep 29, 2004 at 04:10:58PM -0400, Nicolas wrote: > > > So, my question is this. Is there a way to tell ssh to refuse > > connections from an ip address after a certain number of failed > > login attempts, or is snort the only way to do something like this? > > So far I've been taking the m

Re: SSH Cracking Attempts

On Wed, 2004-09-29 at 21:10, Nicolas wrote: > > So, my question is this. Is there a way to tell ssh to refuse > > connections from an ip address after a certain number of failed login > > attempts, or is snort the only way to do something like this? So far > > I've been taking the manual approach,

Re: SSH Cracking Attempts

On Wed, 29 Sep 2004 16:13:10 -0500, Jacob S <[EMAIL PROTECTED]> wrote: > On Wed, 29 Sep 2004 16:10:58 -0400 > Nicolas <[EMAIL PROTECTED]> wrote: > > > > > > So, my question is this. Is there a way to tell ssh to refuse > > > connections from an ip address after a certain number of failed > > > log

Re: SSH Cracking Attempts

On Wed, 29 Sep 2004 16:10:58 -0400 Nicolas <[EMAIL PROTECTED]> wrote: > > > So, my question is this. Is there a way to tell ssh to refuse > > connections from an ip address after a certain number of failed > > login attempts, or is snort the only way to do something like this? > > So far I've bee

Re: SSH Cracking Attempts

On Wed, 29 Sep 2004 21:55:59 +0200 Matthijs <[EMAIL PROTECTED]> wrote: > On Wed, 29 Sep 2004 21:10:24 +0200, Jacob S <[EMAIL PROTECTED]> > wrote: > > > So, my question is this. Is there a way to tell ssh to refuse > > connections from an ip address after a certain number of failed > > login attem

Re: SSH Cracking Attempts

On Wed, 29 Sep 2004 21:10:24 +0200, Jacob S <[EMAIL PROTECTED]> wrote: > So, my question is this. Is there a way to tell ssh to refuse > connections from an ip address after a certain number of failed login > attempts, or is snort the only way to do something like this? So far > I've been taking t

Re: SSH Cracking Attempts

> So, my question is this. Is there a way to tell ssh to refuse > connections from an ip address after a certain number of failed login > attempts, or is snort the only way to do something like this? So far > I've been taking the manual approach, blocking the ip address with > my firewall after I