FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Red Hat Linux

 
 
LinkBack Thread Tools
 
Old 12-09-2008, 04:31 AM
"Jose R R"
 
Default Dark reading article on the proper port of SSH daemon.

"In honor of this phenomenon, I now keep a text file of the ports I
find an SSH daemon running on, and the explanation offered by the
administrator of how this change improves security. I won't list the
explanations here, but here's the gist of their justifications:
attackers will not bother launching a scan against the entire port
range of a box, and a scanning tool is not advanced enough to grab
service banners. Admins generally provide me with these explanations
during a post assessment wrap-up meeting, and they are typically
surprised that their SSH daemon running on port 65022 is listed in the
report at all. It's almost like pointing out a trap door or a mirror
in a magic act."

Hiding In Plain Sight Doesn't Work:
< http://www.darkreading.com/blog/archives/2008/12/hiding_in_plain.html?cid=RSSfeed_DR_ALL?cid=nl_DR_ WEEKLY_T
>

After reading the above article, well ...ahem, I decided to bring back
the SSH daemon to its original default port on some accounts and
implemented a banner advising the would be perpetrators that their IP
would be logged. Notwithstanding, there where those who did not care
(some, like the example below, understandably since their IP is
dynamic). Notwithstanding, those who dared try their luck were locked
out by fail2ban on their fifth try. After observing their reverse
mapping attempts (as below) I reduced SSH login attempts to three.

I am also looking for insight/recommendations on an utility to stop
scraping/resource probing like abuses, where an given perpetrator will
start at the root of the web resources and continue for several
minutes traversing the whole site(s).

Dec 8 04:51:23 my-client-host sshd[8282]: Invalid user test from 85.94.59.251

Dec 8 04:51:23 my-client-host sshd[8282]: reverse mapping checking
getaddrinfo for 85.94.59.251.adsl.sta.mcn.ru failed - POSSIBLE
BREAK-IN ATTEMPT!

Dec 8 04:51:32 my-client-host sshd[8284]: Invalid user guest from 85.94.59.251

Dec 8 04:51:32 my-client-host sshd[8284]: reverse mapping checking
getaddrinfo for 85.94.59.251.adsl.sta.mcn.ru failed - POSSIBLE
BREAK-IN ATTEMPT!

Dec 8 04:51:36 my-client-host sshd[8286]: Invalid user admin from 85.94.59.251

Dec 8 04:51:36 my-client-host sshd[8286]: reverse mapping checking
getaddrinfo for 85.94.59.251.adsl.sta.mcn.ru failed - POSSIBLE
BREAK-IN ATTEMPT!

Dec 8 04:51:41 my-client-host sshd[8288]: Invalid user admin from
85.94.59.251

Dec 8 04:51:41 my-client-host sshd[8288]: reverse mapping checking
getaddrinfo for 85.94.59.251.adsl.sta.mcn.ru failed - POSSIBLE
BREAK-IN ATTEMPT!

Dec 8 04:51:51 my-client-host sshd[8290]: Invalid user user from 85.94.59.251

Dec 8 04:51:51 my-client-host sshd[8290]: reverse mapping checking
getaddrinfo for 85.94.59.251.adsl.sta.mcn.ru failed - POSSIBLE
BREAK-IN ATTEMPT!

--
Jose R R
http://www.metztli-it.com

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 12-09-2008, 04:43 AM
Nikolas Lam
 
Default Dark reading article on the proper port of SSH daemon.

On Mon, 2008-12-08 at 21:31 -0800, Jose R R wrote:
...
> I am also looking for insight/recommendations on an utility to stop
> scraping/resource probing like abuses, where an given perpetrator will
> start at the root of the web resources and continue for several
> minutes traversing the whole site(s).

Check out fail2ban - it monitors your logs and modifies your iptables
entries to block likely abusers for a fixed period (all configurable).
I've found it highly affective against bulk automated brute-force
attacks.

Nik



--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 12-09-2008, 05:13 AM
"Jose R R"
 
Default Dark reading article on the proper port of SSH daemon.

On Mon, Dec 8, 2008 at 9:43 PM, Nikolas Lam
<nlam87346@library.usyd.edu.au> wrote:
> On Mon, 2008-12-08 at 21:31 -0800, Jose R R wrote:
> ...
>> I am also looking for insight/recommendations on an utility to stop
>> scraping/resource probing like abuses, where an given perpetrator will
>> start at the root of the web resources and continue for several
>> minutes traversing the whole site(s).
>
> Check out fail2ban - it monitors your logs and modifies your iptables
> entries to block likely abusers for a fixed period (all configurable).
> I've found it highly affective against bulk automated brute-force
> attacks.
>
> Nik
>
>

Thanks for pointing out my omission, Nik. I have enabled the
following sections in fail2ban jail.local configuration file and I
will continue monitoring closely.

[apache]

enabled = true
port = http
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6


[apache-noscript]

enabled = false
port = http
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6

Regards.

--
Jose R R
http://www.metztli-it.com

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 

Thread Tools




All times are GMT. The time now is 03:11 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org