[H-GEN] Re: Blocking SSH exploits

Troy Piggins troy at piggo.com
Sun Aug 22 19:16:03 EDT 2004


> From: Sarah Walters <s.walters at its.uq.edu.au>
> 
> Hi all,
> 
> In the daily security report generated by our FreeBSD box, we've been 

<snip log>

> getting a lot of messages like the following lately:
> Of course we don't have SSH enabled for root under any circumstances, 
> but we do SSH home frequently so would not want to block external IPs 
> altogether. Has anyone seen a similar increase in such attempts, and is 
> there something out there that I should know about?
> 
> By the way, we are thinking that it would be nice to be able to block 
> IPs that make any such attempts automatically, probably for about 10 
> minutes. Does anyone know how to do this, and would it be worthwhile trying?
> 
> Regards,
> Sarah Walters

I have been getting similar attempts, with attempted usernames of
root, test, and guest.  The IP addresses change - whois indicated
the address blocks are from Ukraine, Korea, Japan, Italy -
basically all over the place.  I came to the conclusion that the
owners of the IPs are not the ones doing it, but are compromised or
spoofed.

If you want ssh available to the outside world, I guess you just
have to ensure good username and password policies, and hope that
openssh has no security leaks or exploits ...  and keep it up to
date.

-- 
T R O Y  P I G G I N S
e : troy at piggo.com




More information about the General mailing list