Re: SSH brute force attack

[Mark Tinberg <mtinberg () securepipe com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 24 Jun 2005, Toderick, Lee W wrote:

> Our computers running SSH daemons have logged attacks. The attacks begin
> with a scan logged "Did not receive identification string from x.x.x.x",
> followed approximately 15 minutes later with "Illegal user " or " Failed
> password for root". 

That's pretty much normal, people are scanning for easy to access ssh 
services all the time.  The way to deal with this is to not allow 
worldwide access to your ssh daemon.  OpenSSH has not had a perfect 
security track record, for security software it has a lot of extraneous 
functionality, so you have to protect it just like you'd protect any other 
service.

If you absolutely have to expose it to the world (you run a shellbox for 
example) then at least take the precaution of disabling direct root 
access, having a very strict password policy (which is enforced) and 
turning off features you don't need (like port forwarding, SOCKS proxy, X 
forwarding, SFTP, etc.).

- -- 
Mark Tinberg <MTinberg () securepipe com>
Network Administrator, SecurePipe Inc.
Key fingerprint = FAEF 15E4 FEB3 08E8 66D5  A1A1 16EE C5E4 E523 6C67
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQFCxFIPFu7F5OUjbGcRAm7OAKCMozOffXapgTEcOH/IA6V6wl0bUQCfVX9d
M6lu6T0VgJurvuQjwXrscG4=
=NAPq
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards