On February 21, 2005 10:53 pm, Michael Gale wrote: > Hello, > > Reporting the activity will most likely not do any good since nothing > has really come of the login attempts. You would have to prove that the > connections are malicious beyond a resonaible doubt. Depending on your > logs or traffic analyist this may or may not be possible. > > Also most ISP's are to busy to look into and police their network unless > something concrete has happened. It is kind of like the stalking law ... > not much can done until it is to late. > > I would suggest downloading the latest Openssh source 3.9 and build it > from source. > > Also restrict what users can use SSH by setting the "AllowUsers" > variable, also: > > PermitEmptyPasswords no > StrictModes yes >
in addition, use a non-standard port when possible. Script kiddies don't have much for brains -- just too much time. > Michael. > > Greg King wrote: > > Hi folks, > > > > I have a RH9 system which is exposed to the internet by having a firewall > > port forward SSH to it. Root login is disabled, and the few (4~5) > > accounts that are on the box have passwords, although probably not as > > hard as they should be. > > > > For the past few week I've noticed lots of attempts to logon using > > various ids, most of which don't exist on the box. I've also heard that > > SSH itself has known exploits which can result in nefarious types taking > > control of a box. I don't believe the box is compromised yet, as tripwire > > seems to be not finding any newly changed system files, but I guess worst > > case tripwire itself could be compromised. My question is twofold: > > > > 1. How easy is it to compromise SSH (OpenSSH_3.5p1 which was the latest > > one available when RH dropped auto update for RH9)? The RedHat site > > doesn't have an upgrade after Sep 2003. > > 2. Is it worth while to try to report this activity to abuse@ whatever > > domain the IP is coming from? > > > > Regards, > > Greg King > > > > > > > > > > _______________________________________________ > > clug-talk mailing list > > [email protected] > > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > > Mailing List Guidelines (http://clug.ca/ml_guidelines.php) > > **Please remove these lines when replying > > _______________________________________________ > clug-talk mailing list > [email protected] > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > Mailing List Guidelines (http://clug.ca/ml_guidelines.php) > **Please remove these lines when replying _______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
