Carlos E. R. wrote:
And when I try to log in, I see (with a delay):
cer@nimrodel:~> ssh localhost ssh_exchange_identification: Connection closed by remote host cer@nimrodel:~>
And the logs:
Nov 22 12:27:43 nimrodel sshd[7056]: twist 127.0.0.1 to /bin/echo -e "\n\n\tAccess Denied from 127.0.0.1\tSo kindly FOADAH\n";sleep 10
So... the log entry is entirely local. They don't get any text message, but your log is filled with refuse :-p
You'd better modify that line of yours ;-)
-- Cheers, Carlos E. R.
Carlos,
I saw that too, but I figured that the examples in /etc/hosts.allow that show that format must be sending the string somewhere besides the log. Maybe, in the past, it did get sent back to the person attempting to gain access, but now due to either some suse setting or some change in how the ssh handshake works, they don't see it any more.
But it sure makes finding the stuff in the logs easy ;-)
Did carlos try connecting only with a real ssh client, or did he try connecting with telnet or netcat? Perhaps the string is sent back but ssh the client discards it since it's not valid ssh protocol? If that's the case, then I say it's still valid to leave the message in there. Except as someone else pointed out, it doesn't piss the bad guys off, rather the opposite, it just confirms that there is really a nice machine/target/victim there. Where simply dropping or refusing the connection tells them a lot less. I seem to remember one approch that holds the connection open for a long time, wasting the attackers time and available tcp ports (and using up tcp ports on your end too). I don't remember which package does that or if it was simply a combination of ordinary sshd_config settings. As for the susefirewall option, there is another problem. Some of these attacks do not come from one ip, they come one or a few connections each from a swarm of different ip's, each of which is an end-users windows pc desktop with a virus. IE: bot-net. I don't know of any good way to block those yet. Most of my servers very job in life is to accept ssh connections from several hundred end-users from any IP anywhere. Their natural traffic often produces spikes of connections-per-second from single ips (everyone in a large office behind a nat router) and from many ips. Like when everyone in a large office behind a nat router starts working in the AM, or when they all reconnect after their net connection flickers. I think the only way to allow those while still blocking bot-net attacks, besides simply using some other port besides 22 for my users, would be to configure a special client (like a hacked PuTTY) that does some sort of port-knocking, which you can configure iptables to recognize. -- Brian K. White brian@aljex.com http://www.myspace.com/KEYofR +++++[>+++[>+++++>+++++++<<-]<-]>>+.>.+++++.+++++++.-.[>+<---]>++. filePro BBx Linux SCO FreeBSD #callahans Satriani Filk! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org