Re: sshd attack?
ippl is also quite helpful. http://pltplp.net/ippl/. On Wed, Aug 15, 2001 at 09:59:27AM +0200, J?rgen Persson wrote: [...] How can I find out, from where this attack is originating? Must I increase the verbositiy level of sshd to achieve this? sshd might be able to do it. I'm logging the originating adress through my internet services daemon. I happen to use tcpserver[1] but inetd[2] and xinetd[3] ought to be able to do it as well. A second alternative is to do it through a tcpwrapper like Venemas[4]. J?rgen [1] http://cr.yp.to/ucspi.tcp/tcpserver.html [2] ftp://ftp.uk.linux.org/pub/linux/Networking/netkit/ [3] http://www.xinetd.org/ [4] ftp://ftp.porcupine.org/pub/security/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Any OS is only as good as its admin, and you obviously suck. -- Ian Gulliver, http://orbz.org/mail/mansunix.txt
Re: sshd attack?
On Wed, Aug 15, 2001 at 09:37:51AM +0200, Siegbert Baude wrote: I get about 100 log entries of the following pattern: Aug 14 01:29:01 myserver sshd[27175]: Disconnecting: crc32 compensation attack: network attack detected I got the same. Aug 14 11:46:44 nepomuk sshd[12166]: Disconnecting: crc32 compensation attack: network attack detected Aug 14 11:46:44 nepomuk sshd[12165]: Disconnecting: crc32 compensation attack: network attack detected Aug 14 11:46:44 nepomuk sshd[12167]: Connection closed by 192.167.166.229 What´s this? An old but long fixed sshd-vulnerability. How can I find out, from where this attack is originating? Must I increase the verbositiy level of sshd to achieve this? Notice the last line of my logs? You should find something like this too. A simple whois will tell you more about the network the attack came from. Phil -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: sshd attack?
On Wed, Aug 15, 2001 at 09:37:51AM +0200, Siegbert Baude wrote: Hello, I get about 100 log entries of the following pattern: Aug 14 01:29:01 myserver sshd[27175]: Disconnecting: crc32 compensation attack: network attack detected What´s this? I do not know. How can I find out, from where this attack is originating? Must I increase the verbositiy level of sshd to achieve this? sshd might be able to do it. I'm logging the originating adress through my internet services daemon. I happen to use tcpserver[1] but inetd[2] and xinetd[3] ought to be able to do it as well. A second alternative is to do it through a tcpwrapper like Venemas[4]. Jörgen [1] http://cr.yp.to/ucspi.tcp/tcpserver.html [2] ftp://ftp.uk.linux.org/pub/linux/Networking/netkit/ [3] http://www.xinetd.org/ [4] ftp://ftp.porcupine.org/pub/security/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: sshd attack?
In fact why not just be really cruel: install the dtk (deception toolkit) - find it at all.net - and then watch the hackers think that they've found a vulnerable box and try to exploit it whilst you gather enough information about them to... [fill in as necessary]. Of course all the files that they manage to steal from your system are faked, then they'll waste 2 days running a brute force cracker and will then get upset when the usernames/passwords don't work... Nice! ;-) Matthew On Wed, Aug 15, 2001 at 09:59:27AM +0200, J?rgen Persson wrote: On Wed, Aug 15, 2001 at 09:37:51AM +0200, Siegbert Baude wrote: Hello, I get about 100 log entries of the following pattern: Aug 14 01:29:01 myserver sshd[27175]: Disconnecting: crc32 compensation attack: network attack detected What?s this? I do not know. How can I find out, from where this attack is originating? Must I increase the verbositiy level of sshd to achieve this? sshd might be able to do it. I'm logging the originating adress through my internet services daemon. I happen to use tcpserver[1] but inetd[2] and xinetd[3] ought to be able to do it as well. A second alternative is to do it through a tcpwrapper like Venemas[4]. J?rgen [1] http://cr.yp.to/ucspi.tcp/tcpserver.html [2] ftp://ftp.uk.linux.org/pub/linux/Networking/netkit/ [3] http://www.xinetd.org/ [4] ftp://ftp.porcupine.org/pub/security/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Matthew Sackman Nottingham, ENGLAND Using Debian/GNU Linux Enjoying computing It said 'Required Windows XP or better.' So I installed Linux. PGP signature
Re: sshd attack?
On Wed, Aug 15, 2001 at 09:37:51AM +0200, Siegbert Baude wrote: I get about 100 log entries of the following pattern: Aug 14 01:29:01 myserver sshd[27175]: Disconnecting: crc32 compensation attack: network attack detected I got the same. Aug 14 11:46:44 nepomuk sshd[12166]: Disconnecting: crc32 compensation attack: network attack detected Aug 14 11:46:44 nepomuk sshd[12165]: Disconnecting: crc32 compensation attack: network attack detected Aug 14 11:46:44 nepomuk sshd[12167]: Connection closed by 192.167.166.229 What´s this? An old but long fixed sshd-vulnerability. How can I find out, from where this attack is originating? Must I increase the verbositiy level of sshd to achieve this? Notice the last line of my logs? You should find something like this too. A simple whois will tell you more about the network the attack came from. Phil
Re: sshd attack?
On Wed, Aug 15, 2001 at 09:37:51AM +0200, Siegbert Baude wrote: Hello, I get about 100 log entries of the following pattern: Aug 14 01:29:01 myserver sshd[27175]: Disconnecting: crc32 compensation attack: network attack detected What´s this? I do not know. How can I find out, from where this attack is originating? Must I increase the verbositiy level of sshd to achieve this? sshd might be able to do it. I'm logging the originating adress through my internet services daemon. I happen to use tcpserver[1] but inetd[2] and xinetd[3] ought to be able to do it as well. A second alternative is to do it through a tcpwrapper like Venemas[4]. Jörgen [1] http://cr.yp.to/ucspi.tcp/tcpserver.html [2] ftp://ftp.uk.linux.org/pub/linux/Networking/netkit/ [3] http://www.xinetd.org/ [4] ftp://ftp.porcupine.org/pub/security/
Re: sshd attack?
In fact why not just be really cruel: install the dtk (deception toolkit) - find it at all.net - and then watch the hackers think that they've found a vulnerable box and try to exploit it whilst you gather enough information about them to... [fill in as necessary]. Of course all the files that they manage to steal from your system are faked, then they'll waste 2 days running a brute force cracker and will then get upset when the usernames/passwords don't work... Nice! ;-) Matthew On Wed, Aug 15, 2001 at 09:59:27AM +0200, J?rgen Persson wrote: On Wed, Aug 15, 2001 at 09:37:51AM +0200, Siegbert Baude wrote: Hello, I get about 100 log entries of the following pattern: Aug 14 01:29:01 myserver sshd[27175]: Disconnecting: crc32 compensation attack: network attack detected What?s this? I do not know. How can I find out, from where this attack is originating? Must I increase the verbositiy level of sshd to achieve this? sshd might be able to do it. I'm logging the originating adress through my internet services daemon. I happen to use tcpserver[1] but inetd[2] and xinetd[3] ought to be able to do it as well. A second alternative is to do it through a tcpwrapper like Venemas[4]. J?rgen [1] http://cr.yp.to/ucspi.tcp/tcpserver.html [2] ftp://ftp.uk.linux.org/pub/linux/Networking/netkit/ [3] http://www.xinetd.org/ [4] ftp://ftp.porcupine.org/pub/security/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Matthew Sackman Nottingham, ENGLAND Using Debian/GNU Linux Enjoying computing It said 'Required Windows XP or better.' So I installed Linux. pgp18CT4dUtfS.pgp Description: PGP signature
Re: sshd attack?
On Wed, Aug 15, 2001 at 08:16:26PM +0100, Matthew Sackman wrote: In fact why not just be really cruel: install the dtk (deception toolkit) - find it at all.net - and then watch the hackers think that they've found a vulnerable box and try to exploit it whilst you gather enough information about them to... [fill in as necessary]. I think it's not wise to install additional software that provides some kind of network-service. dtk itself might help to compromise security. Keep it simple. Phil