-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gregg C Levine wrote: | Hello from Gregg C Levine
Hello, Gregg. | Question, is anyone seeing activity on their Internet connected L/390 | systems regarding the SSH port, and this NOUSER thing? All of sudden | I'm seeing anywhere from two to as many as four different attacks on | my system, Slackware 10.1 with all of the noted security fixed items | applied. Including a pair of them today. The last one seemed to be | originating from a public ISP in Korea, the one before from a school | in Taiwan. There is a plethora of exploits and brute-force probing utilities out there in the wild, so I wouldn't have worried too much if I were you. There were times when I'd have encountered as many as 250 different ssh login attempts in the course of a couple of hours, being done by five to six different clients, and all followed a remarkably simple pattern. It turned out to be a ssh brute-force dictionary attack that was freely downloadable and even posted as a proof-of-concept attack to a number of security-related mailing lists. | I was originally told by a couple of experts about an SSH based Trojan | or worm running someplace inside the Internet, or something along | those lines. But this was nearly six months earlier. Could there still | be infected machines out there? Yes, the "raid" was going on somewhere between october and december of last year. As it was being operated, or at least initiated, by humans though, I'd dare saying there will always be people inclined to do those kinds of attacks, even old ones. | Just looking for advice, and opinions. Apart from what everybody else suggested, that is, restricting logins to just a couple of authorized addresses via means of firewall rules, disabling tunneled cleartext password authentication and replacing it with challenge-response, OTP or kerberos-based authentication, there is an extremely simple trick that will allow you to go by completely unnoticed by those kinds of tools: change the port ssh is listening on. This way, you will have known someone attempting to connect on that port, using _proper_ ssh protocol, is either a user forgetting their password, or a real threat you should investigate further. Whether or not this is viable depends on the profile of the majority of the users connecting via ssh (i.e., it is next to impossible to expect "ordinary users" will have been able to adapt to this environmental peculiarity, whereas it may be reasonable to prescribe this as a policy if the only people logging into the guests are admins, as they will usually have a higher clearance level), but it may be achieved by simply changing the Port directive in /etc/ssh/sshd_config to the desired port number or using some kind of an administration tool to do it for you (make sure you don't use a port already in use, also, well-known ports are often a target of different attacks). Connecting to a machine from a UNIX shell can then be done as simply as adding "-p <yournewport>" to the ssh command line or adjusting the application profile if people are connecting from a frontend. The usual case is that the number of unauthorized login attempts will have dropped to a still zero. Hope to have helped. Kind regards, - -- Grega Bremec gregab at p0f dot net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFC30R1fu4IwuB3+XoRAkVBAJ0UJQD7f+d70Ik911aMBjSQN7dRuQCdGLIo LNMGXmt/RUAoqYDqUMK3OTg= =W5rd -----END PGP SIGNATURE----- ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
