Possible hacking on SSH what should I do?
Jamon Camisso
jamon.camisso-H217xnMUJC0sA/PxXw9srA at public.gmane.org
Tue Jul 13 19:30:24 UTC 2010
On 07/13/2010 03:15 PM, Myles Braithwaite wrote:
> Some one from a French IP is trying to access one of my servers:
>
> Jul 13 15:05:30 fox sshd[1866]: reverse mapping checking getaddrinfo
> for 23-194.213-56.static-ip.oleane.fr [213.56.194.23] failed -
> POSSIBLE BREAK-IN ATTEMPT!
>
> They probably wont be able to get in (I use only ssh keys access) but
> what is the best procedure to stop from getting further.
>
> Should I contact the ISP?
> Should I ban him under '/etc/hosts.deny'?
fail2ban or denyhosts are good tools for that.
I also use knockd for host servers. Unless someone knows the different
UDP and TCP packet sequences to unlock iptables (I use 5 packets), ssh
is completely invisible. Security through obscurity, yes, but if you
don't know that ssh is listening, there's nothing to really scan for in
the first place :)
It would also take a very dedicated attacker sitting between a machine
and a remote knock client to capture every TCP/UDP packet to figure out
the correct sequence.
Jamon
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list