[SGVLUG] ssh breakins

Matthew Gallizzi matthew.gallizzi at gmail.com
Tue Aug 8 23:29:18 PDT 2006 

Hmm, I haven't really been following up on this. And I don't plan on reading
everything, too busy... but I read the first e-mail. I maintain servers that
get slashdotted... and my solution to all the failed ssh attempts on these
servers was telling sshd to listen on port 443 (server doesn't use https).
No more failed attempts :)

On 8/8/06, Jeff Carlson <jeff at ultimateevil.org> wrote:
>
> James Neff wrote:
> > Chances are these are script kiddies looking for something fun to do.
> > Or, they are folks looking for an FTP site to host their Warez stuff.
>
> Or more likely either use your computer to attack even more hosts, or to
> have you join an army of zombie spam-bots.
>
> > I wrote a script that went through and pulled out the IP addresses from
> > the log files and added them to my iptables drop list.  I also
> > researched some of them, with the help of WHOIS from Network Solutions
> > web pages, and found the ones coming from eastern Europe and Asia.  I
> > banned entire subnets (some */7) from ever getting to my network again.
>
> There already exist several resources to figure out which network
> authority or country is responsible for any IP range.  First is
> http://www.iana.org/assignments/ipv4-address-space which lists what
> authority is responsible for every */8 block.  Next is
> http://blackholes.us which has zone files available via rsync for every
> country.  The supplied zone files are in formats for tcp_wrappers, a
> plain text format, and a format for a particular DNS server used as a
> blackhole server.  I have some scripts for converting this data to BIND
> format if anyone wants them.
>
> > If you have spare time, you could call the ISP's tech support line
> > (lookup on Network Soultions' WHOIS page) and threaten litigation if
> > they do not police thier own network.  This will only work for US based
> > ISP's.  I sent out a few "cease and assist" e-mails to the abuse e-mail
> > address of several ISP's and one of them called me right back to
> > appologize.
>
> Just about any Unix or Linux has a whois command, so why bother using
> NetSol's web page?
>
> > I always thought it would be fun to write a script (somehow trigger it
> > by the ssh dameon upon receiving a failed login attempt) that would
> > automatically portscan and DoS on the offending client.
>
> DenyHosts can trigger an extension program that receives the IP address
> of the attacker as *argv[1].  You could do pretty much anything, do a
> whois lookup, get the ISP name, send email to abuse@, etc.  Note that
> portscanning is legal, however performing a DoS attack may be regarded
> as illegal.
>



-- 
Matthew Gallizzi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.sgvlug.net/pipermail/sgvlug/attachments/20060808/6bf19d61/attachment.html

More information about the SGVLUG mailing list