[Gllug] ssh attacks
Alain Williams
addw at phcomp.co.uk
Fri Feb 3 10:49:22 UTC 2006
On Fri, Feb 03, 2006 at 10:39:11AM +0000, John Southern wrote:
> I opened up an sshd on a box to be able to extract some info from a remote
> box. I went away and got the files I needed. However, I thought my link was
> slow so I looked at the logs. The messages log shows an ssh attempt every few
> seconds. I think it took about thirty seconds from first being opened to the
> first attack.
>
> Was I just unlucky and if so, what is the average time before an ssh box is
> attacked.
Unlucky, but I regularily get ssh attacks. Just live with it.
> Although not quite working through a dictionary attack, it is definitely a
> preprepared list of common user names. I traced this back to a host name of
> zz-13-91-a8.bta.net.cn from its IP address of 202.108.13.91
I insert the following at the top of my /etc/pam.d/sshd:
auth required pam_listfile.so sense=allow item=user file=/etc/ssh/sshAuthorisedUsers onerr=fail
and I put a list of usernames into /etc/ssh/sshAuthorisedUsers of the people who I
want to be allowed to login to the box.
--
Alain Williams
Parliament Hill Computers Ltd.
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 http://www.phcomp.co.uk/
#include <std_disclaimer.h>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20060203/e2df714a/attachment.pgp>
-------------- next part --------------
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list