On Tuesday 21 December 2004 03:46, Fajar Priyanto wrote: > > It happened while the victum was working on pc and noticed the cpu > > increase in gkrellm. So check your logs for something like this. > > And if you use passwords instead of ssh keys, then make sure your > > passwords are not simple to guess. > > > > Seems some user/password scans are checking for easy sshd logins > > > > HTH, after all the security talk here lately ... > > Yes, it has been happening in the last few months I think. The most > usernames that are mostly used are: patrick, test, horde.
Here is a script I wrote to work around SSH probes. It is NOT elegant, very quick and dirtyish but it does seem to work and it can be run from a cron job fairly often without problems. #!/bin/sh cd /usr/local/sbin #Optional, remove old entries #rm ./sshd_block/block.txt #This will parse the messages file and extract the sshd lines grep sshd /var/log/messages | grep Failed >> ./sshd_block/block.txt #This line will cut only the IP addresses out of that file cut -d \ -f 13 ./sshd_block/block.txt | uniq >> ./sshd_block/new_block.txt target=`cat ./sshd_block/new_block.txt` for i in $target; do echo ALL:$i >> /etc/hosts.deny #echo ALL:$i done #remove extra entries from hosts.deny cat /etc/hosts.deny | sort | uniq > /etc/hosts.new cp /etc/hosts.new /etc/hosts.deny REMOVE linewrap from the script above. Also, you won't lose any items already in your hosts.deny. Basically, I grep the /var/log/messages file for sshd entries and then further grep for Failed lines. This should pick up all the invalid users that the probes create. Next, I use only uniq entries, and cut the IP address out so you only get a list of uniq IP's from that criteria. Then, I add them to hosts.deny. If you want to be more safe, you can change the line above to read "grep Invalid user" instead of "grep Failed" and then you will only add IP's who used an invalid user account. Still possible for you to slip up and get banned yourself. Also, I don't remove entries, I only add them. If you know the IP ranges or addresses that you SSH from, add them to hosts.allow just to be extra safe. Use this at your own risk. I am NOT a developer, and certainly not a good developer. Also, you need to put this script as is into /usr/local/sbin and you need to create a working directory called /usr/local/sbin/sshd_block. Or edit for your own system. Script must be run as root to change /etc/hosts.deny and to access the logs. For the record, there is another perl script called SSHD-Sentry that I am working with to see if I can get it working. If I do, I will post a link to it and help anyone that wants to to get it working. Also, you might try to find BFD (brute force detection) which is another script. I couldn't get that one to work on Mandrake but someone else may be able to do better. http://rfxnetworks.com/bfd.php -- Bryan Phinney
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________