Package: openssh-server Version: 1:5.1p1-5 OS: Debian Lenny x86_64
Problem: SSH Servers are permanently attacked by brute-force attackers. This obviously doesn't harm our security, as we are using only dsa key authentication. sshd_config is only altered in one line: PasswordAuthentication No . All other content in sshd_config is left as suggested by the package maintainer. I've recently noticed the ssh service on some 40 servers are giving "Invalid Service Response" to our heartbeat monitor. This error is given, if a TCP Handshake is successful but closed without any protocol handshake. After a few 10 minutes, the ssh service recovers back to normal. After looking further, I've noticed this behavior on aggressive brute-force. Adding a fail2ban on ssh did not really solve this issue. Monitoring some switches, I've noticed the attacker was walking through some of our subnets, also attacking machines running similar setup, but with RHEL5, Centos4, Solaris9 + 10. The only ssh services which went down during attack were running on Debian Lenny x86_64. Mit freundlichen Gruessen -- Stephan Seitz Senior System Administrator *netz-haut* e.K. multimediale kommunikation zweierweg 22 97074 würzburg fon: +49 931 2876247 fax: +49 931 2876248 web: http://www.netz-haut.de/ registergericht: amtsgericht würzburg, hra 5054 -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
