Dienstag, 2. März 2010

denyhosts 

  
Mar  2 04:03:54 vlbalabqser sshd[26733]: Invalid user condor from 195.34.107.23
Mar  2 04:03:55 vlbalabqser sshd[26738]: Invalid user globus from 195.34.107.23
Mar  2 04:03:55 vlbalabqser sshd[26743]: Invalid user testing from 195.34.107.23
Mar  2 04:03:57 vlbalabqser sshd[26758]: Invalid user jboss from 195.34.107.23
Mar  2 04:03:58 vlbalabqser sshd[26768]: Invalid user prueba from 195.34.107.23
Mar  2 04:03:58 vlbalabqser sshd[26773]: Invalid user mailtest from 195.34.107.23

So sieht also ein Dictionary Attack auf den ssh-port aus. Bisher erfolglos (hoffe ich). Zukünftig noch schwieriger mit DenyHosts:
  
wget http://ovh.dl.sourceforge.net/project/denyhosts/denyhosts/2.6/DenyHosts-2.6-python2.5.rpm
rpm -i DenyHosts-2.6-python2.5.rpm

etc. (Preventing SSH Dictionary Attacks With DenyHosts). Der Test aus dem internen Netz verlief vielversprechend:

test@192.168.2.200
The authenticity of host '192.168.2.200 (192.168.2.200)' can't be established.
RSA key fingerprint is 57:33:87:d4:6a:e2:7f:c7:14:00:c1:ac:17:a4:71:c6.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.2.200' (RSA) to the list of known hosts.
Password: 
Password: 
Password: 
Permission denied (publickey,keyboard-interactive).
ssh test1@192.168.2.200
Password: 
Password: 
Password: 
Permission denied (publickey,keyboard-interactive).
ssh test2@192.168.2.200
ssh_exchange_identification: Connection closed by remote host

Und auf dem Server war zu lesen:

cat /etc/hosts.deny

# DenyHosts: Tue Mar  2 19:28:25 2010 | sshd: 192.168.2.49
sshd: 192.168.2.49


Works like magic...
Eingestellt von um
Labels: ,

Keine Kommentare:

Kommentar veröffentlichen

Abonnieren Kommentare zum Post (Atom)