On 24 April 2010 14:46, jhell <[email protected]> wrote: > On 04/16/2010 05:18, krad wrote: > > On 16 April 2010 09:39, David Xu <[email protected]> wrote: > > > >> Jeremy Lea wrote: > >> > >>> Hi, > >>> > >>> This is off topic to this list, but I dont want to subscribe to -chat > >>> just to post there... Someone is currently running a distributed SSH > >>> attack against one of my boxes - one attempted login for root every > >>> minute or so for the last 48 hours. They wont get anywhere, since the > >>> box in question has no root password, and doesn't allow root logins via > >>> SSH anyway... > >>> > >>> But I was wondering if there were any security researchers out there > >>> that might be interested in the +-800 IPs I've collected from the > >>> botnet? The resolvable hostnames mostly appear to be in Eastern Europe > >>> and South America - I haven't spotted any that might be 'findable' to > >>> get the botnet software. > >>> > >>> I could switch out the machine for a honeypot in a VM or a jail, by > >>> moving the host to a new IP, and if you can think of a way of allowing > >>> the next login to succeed with any password, then you could try to see > >>> what they delivered... But I don't have a lot of time to help. > >>> > >>> Regards, > >>> -Jeremy > >>> > >>> > >> Try to change SSH port to something other than default port 22, > >> I always did this for my machines, e.g, change them to 13579 :-) > >> > >> Regards, > >> David Xu > >> _______________________________________________ > >> [email protected] mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > >> To unsubscribe, send any mail to " > [email protected]" > >> > > > > dont allow password auth, tcp wrap it, and acl it with pf. Probably more > > stuff you can do. Think onions > > Not allowing password auth also means turning off PAM authentication for > logins with openssh and has the resulting effect utmp not being updated > among other things. Be sure you want to go this route. > > tcpwrap it ? that is unneeded. The moment you start configuring > hosts.allow your system is going to be sending requests for ident. Its a > bad idea with all the other options that are available. >
Not by default it doesnt. Even then ident wont happen to random hosts only ones you trust as you will be protected via pf/ipfw/iptables, its just their as a safety net. I did mention onions I thought. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[email protected]"
