Hi
On Sat, 22 Oct 2005 01:49, Greg Folkert wrote:
> Lately, I have been requiring key-auth just to get a Login prompt, which
> then use a login and password challenge scheme, once that is successful,
> the Login and the key have to matchup as well. IOW, not only do you have
> to have the right Key
On Wednesday 16 Nov 2005 00:34, Jiann-Ming Su wrote:
> On 10/15/05, Ritesh Raj Sarraf <[EMAIL PROTECTED]> wrote:
> > ## SSH Bruteforce
> > iptables -N SSH_WHITELIST
> > iptables -A SSH_WHITELIST -s 10.0.1.0/24 -m recent --remove --name SSH -j
> > ACCEPT iptables -A INPUT -p tcp --dport 22 -m state
On Oct 3, 2005, at 1:57 AM, Jared Hall wrote:
> > It looks like I am being rooted right now. How do I toss this guy off
> > of my system. [...snip...] I
> > can't shut down ssh because that's my only connection to the system.
It's probably not going to help now, but fireHOL
(frontend to iptable
On 10/15/05, Ritesh Raj Sarraf <[EMAIL PROTECTED]> wrote:
> ## SSH Bruteforce
> iptables -N SSH_WHITELIST
> iptables -A SSH_WHITELIST -s 10.0.1.0/24 -m recent --remove --name SSH -j
> ACCEPT
> iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
> --name SSH
> iptables -A INPU
On Oct 3, 2005, at 1:57 AM, Jared Hall wrote:
It looks like I am being rooted right now. How do I toss this guy off
of my system. [...snip...] I
can't shut down ssh because that's my only connection to the system.
[a bit late to the party, but...]
Yes you can. You can repel an
On Mon, 2005-10-03 at 14:00 -0700, Jared Hall wrote:
> I took care of it all last night a couple of minutes after I posted.
> Here's what I did.
>
> I looked at my logs and found that there was no successful root login.
> the reason netstat was showing another root connection from the
> mentione
On Tue, 11 Oct 2005, Marty wrote:
Dick Davies wrote:
On 11/10/05, Marty <[EMAIL PROTECTED]> wrote:
> If your machines are all exposed to the internet or to an insecure
> LAN, then I don't see how you can safely use ssh at all. I would
> never attempt such a thing, so you are much braver t
Dick Davies wrote:
On 11/10/05, Marty <[EMAIL PROTECTED]> wrote:
If your machines are all exposed to the internet or to an insecure
LAN, then I don't see how you can safely use ssh at all. I would
never attempt such a thing, so you are much braver than I.
What I would do instead is limit ssh
On 11/10/05, Marty <[EMAIL PROTECTED]> wrote:
> If your machines are all exposed to the internet or to an insecure
> LAN, then I don't see how you can safely use ssh at all. I would
> never attempt such a thing, so you are much braver than I.
>
> What I would do instead is limit ssh logins to a s
Alvin Oga wrote:
On Tue, 11 Oct 2005, Marty wrote:
Thanks, you just reminded me of two more items for my ssh hardening plan:
-deny root login
-turn off sshd access after a specified number of failed login attempts,
or any attempts outside the specific IP address range.
those should be done
On Tue, 11 Oct 2005, Marty wrote:
> Thanks, you just reminded me of two more items for my ssh hardening plan:
>
> -deny root login
>
> -turn off sshd access after a specified number of failed login attempts,
> or any attempts outside the specific IP address range.
those should be done BEFORE
Alvin Oga wrote:
On Tue, 11 Oct 2005, Marty wrote:
> grep whatever you like from the gazillion log files for ssh this and ssh
> that
I don't know what you're getting at here. The idea is to get a realtime email
alert.
one can get any and all kinds of alerts till you're blue ( satisfied )
On Tue, 11 Oct 2005, Marty wrote:
> > grep whatever you like from the gazillion log files for ssh this and ssh
> > that
>
> I don't know what you're getting at here. The idea is to get a realtime
> email alert.
one can get any and all kinds of alerts till you're blue ( satisfied )
-
Alvin Oga wrote:
On Mon, 10 Oct 2005, Marty wrote:
> simple test ...
> ( use your positive or negative logic equivalents for these files )
>
> /etc/hosts.deny
>ALL : ALL
I'm not sure that will work with the manpage example I gave.
works for me ... no services coming in that is not supp
On Mon, 10 Oct 2005, Marty wrote:
> > simple test ...
> > ( use your positive or negative logic equivalents for these files )
> >
> > /etc/hosts.deny
> > ALL : ALL
>
> I'm not sure that will work with the manpage example I gave.
works for me ... no services coming in that is not supposed
Alvin Oga wrote:
On Tue, 4 Oct 2005, Henrique de Moraes Holschuh wrote:
On Mon, 03 Oct 2005, Marty wrote:
> Correction -- it's in the hosts.deny man page. As others have already
> pointed out, sshd must be configured to start via inetd.
Must it? It uses tcp-wrappers natively, it should not
On Tue, 4 Oct 2005, Henrique de Moraes Holschuh wrote:
> On Mon, 03 Oct 2005, Marty wrote:
> > Correction -- it's in the hosts.deny man page. As others have already
> > pointed out, sshd must be configured to start via inetd.
>
> Must it? It uses tcp-wrappers natively, it should not need inet
On Mon, 03 Oct 2005, Marty wrote:
> Correction -- it's in the hosts.deny man page. As others have already
> pointed out, sshd must be configured to start via inetd.
Must it? It uses tcp-wrappers natively, it should not need inetd for
ANYTHING concerning /etc/hosts.allow or /etc/hosts.deny.
--
On (07/10/05 17:38), Del Boy wrote:
> >It looks like I am being rooted right now. How do I toss this guy off
> >of my system. he has an IP address of 210.95.212.131
> >
> >Please get back to me fast. I took the compilers off of the system,
> >and it's only running dns... so there's no firewall o
Jared Hall wrote:
It looks like I am being rooted right now. How do I toss this guy off
of my system. he has an IP address of 210.95.212.131
Please get back to me fast. I took the compilers off of the system,
and it's only running dns... so there's no firewall or anything. I
can't shut down
On 10/04/2005 11:00 PM, David E. Fox wrote:
> I've logged thousands of attempts from chinanet
> and kornet within the last few days. I've reported (as if that would do
> any good) with "Free Tibet" and of course copies of the log - 500K in
> one instance(!) but am more interested in just blocking t
On Mon, 3 Oct 2005 18:23:15 +
Pollywog <[EMAIL PROTECTED]> wrote:
> I get lots of those, often from Asia and S. America. Block the IP at the
> firewall. If you install Portsentry, you can have Portsentry block them
Very good idea. I remember having that installed last time Slapper or
one
On Mon, 03 Oct 2005 19:44:38 -0400
Gene Heskett <[EMAIL PROTECTED]> wrote:
> Somebody mentioned portsentry, and I don't know why so many admins
> seem to hate it. I've been running it here for probably 6-7 years,
> and its automaticly dropped lots of connection attempts back when I
And portsent
On Sun, 2 Oct 2005 22:57:25 -0700
Jared Hall <[EMAIL PROTECTED]> wrote:
> It looks like I am being rooted right now. How do I toss this guy off
> of my system. he has an IP address of 210.95.212.131
It's happening here. I've logged thousands of attempts from chinanet
and kornet within the last
On Sun, Oct 02, 2005 at 10:57:25PM -0700, Jared Hall wrote:
> It looks like I am being rooted right now. How do I toss this guy off
> of my system. he has an IP address of 210.95.212.131
>
> Please get back to me fast. I took the compilers off of the system,
> and it's only running dns... so th
On Oct 03 2005, Jared Hall wrote:
> Keep posting your security ideas/knowledge though... I'm sure everyone
> will benefit.
Well, I recently discovered the package "tiger" and it is full of good
advices.
It will probably take 10 minutes or so examining your system, but some
of its suggestions are
Marty wrote:
The inetd man page gives an example for use with a specific service:
/etc/hosts.deny:
in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \
/usr/bin/mail -s %d-%h root) &
Correction -- it's in the hosts.deny man page. As others have already
pointed
On Mon, 3 Oct 2005, Pollywog wrote:
> Do you know for sure that /etc/hosts.deny has anything to do with ssh?
> I thought /etc/hosts.deny would only work with services that run from inetd
> or
> xinetd, not with daemons.
ssh is typically built with tcpwrappers .. and ez enough to do so
if its n
On 10/03/2005 09:00 pm, Jared Hall wrote:
> I took care of it all last night a couple of minutes after I posted.
> Here's what I did.
>
> I looked at my logs and found that there was no successful root login.
> the reason netstat was showing another root connection from the
> mentioned ip is that
On Monday 03 October 2005 15:23, Alvin Oga wrote:
>On Mon, 3 Oct 2005, Pollywog wrote:
>> On 10/03/2005 06:14 pm, Marty wrote:
>> > Jared Hall wrote:
>> > > It looks like I am being rooted right now. How do I toss this guy
>> > > off of my system. he has an IP address of 210.95.212.131
>> >
>> >
Landy Bible wrote:
Marty wrote:
-configure the ssh server to report any successful ssh login using email,
and/or send a page or cell phone alert
I can only guess at this point because I've not tried it.
A crude example might be using a login script to detect whether the shell is
starting in
On Mon, 3 Oct 2005, Landy Bible wrote:
> Marty wrote:
>
> > -configure the ssh server to report any successful ssh login using email,
> > and/or send a page or cell phone alert
> >
> > -do the same for mutliple failed connection attempts
> >
> Could some one point me at a way to do this?
thin
Marty wrote:
-configure the ssh server to report any successful ssh login using email,
and/or send a page or cell phone alert
-do the same for mutliple failed connection attempts
Could some one point me at a way to do this?
--
Landy J. Bible
The University of Tulsa
Computer Science Student
>Also, for goodness sake, please disallow root login via ssh.
I forgot to mention that I did that too (among a few other minor
tweaks) It's a new dns server which I just put up for testing
purposes... so it's not that big of a deal.
>I highly recommend the use of shorewall for something like this
Quoting Jared Hall <[EMAIL PROTECTED]>:
I took care of it all last night a couple of minutes after I posted.
Here's what I did.
I looked at my logs and found that there was no successful root login.
the reason netstat was showing another root connection from the
mentioned ip is that the script
I took care of it all last night a couple of minutes after I posted.
Here's what I did.
I looked at my logs and found that there was no successful root login.
the reason netstat was showing another root connection from the
mentioned ip is that the script kiddie was rapidly connecting to my
sshd
Alvin Oga wrote:
- if it was a hole in ssh, ALL and i mean ALL other Debianites and
possibly other Linuxites will be equally susceptable and some of
of them will have noticed that they too were successfully attacked
==
== time for you ( marty ) change the way you use ssh and/or the way you
=
On Mon, 3 Oct 2005, Pollywog wrote:
> On 10/03/2005 06:14 pm, Marty wrote:
> > Jared Hall wrote:
> > > It looks like I am being rooted right now. How do I toss this guy off
> > > of my system. he has an IP address of 210.95.212.131
> >
> > It's a kid! Whois returns "Hanguk Kwangsan Technoledge
On 10/03/2005 06:14 pm, Marty wrote:
> Jared Hall wrote:
> > It looks like I am being rooted right now. How do I toss this guy off
> > of my system. he has an IP address of 210.95.212.131
>
> It's a kid! Whois returns "Hanguk Kwangsan Technoledge High School."
BTW if you want to kill the connec
On 10/03/2005 06:14 pm, Marty wrote:
> Jared Hall wrote:
> > It looks like I am being rooted right now. How do I toss this guy off
> > of my system. he has an IP address of 210.95.212.131
>
> It's a kid! Whois returns "Hanguk Kwangsan Technoledge High School."
I get lots of those, often from As
Jared Hall wrote:
It looks like I am being rooted right now. How do I toss this guy off
of my system. he has an IP address of 210.95.212.131
It's a kid! Whois returns "Hanguk Kwangsan Technoledge High School."
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe".
On Mon, Oct 03, 2005 at 08:55:03AM +0200, Andreas Janssen wrote:
> Hello
>
> Jared Hall (<[EMAIL PROTECTED]>) wrote:
>
> > It looks like I am being rooted right now. How do I toss this guy off
> > of my system. he has an IP address of 210.95.212.131
> >
> > Please get back to me fast. I took
On Sun, 2005-10-02 at 22:57 -0700, Jared Hall wrote:
> It looks like I am being rooted right now. How do I toss this guy off
> of my system. he has an IP address of 210.95.212.131
>
> Please get back to me fast. I took the compilers off of the system,
> and it's only running dns... so there's n
Hello
Jared Hall (<[EMAIL PROTECTED]>) wrote:
> It looks like I am being rooted right now. How do I toss this guy off
> of my system. he has an IP address of 210.95.212.131
>
> Please get back to me fast. I took the compilers off of the system,
> and it's only running dns... so there's no fir
It looks like I am being rooted right now. How do I toss this guy off
of my system. he has an IP address of 210.95.212.131
Please get back to me fast. I took the compilers off of the system,
and it's only running dns... so there's no firewall or anything. I
can't shut down ssh because that's m
45 matches
Mail list logo
