[Tyler McAdams]

Where are the hosts allow and hosts deny files? I need to ban an IP address...

[Kristoff]

man ipfw

[Kristoff]

It's a simple as

ipfw add deny all from xxx.xxx.xxx.xxx to any

to not allow inbound xxx.xxx.xxx.xxx

ipfw add deny all from any to xxx.xxx.xxx.xxx

to not allow outbound to xxx.xxx.xxx.xxx

[leira]

http://www.hmug.org/HowTos/tcpwrappers.html
see also 'man 5 hosts_access' & 'man 5 hosts_options'

[Tyler McAdams]

I found somebody trying to use an ssh brute forcer on my ssh session in my snort logs

Thanks for the help!

[[APi]TheMan]

Just for future reference's sake: /etc/hosts.allow and /etc/hosts.deny, if they're not there you, can create them.

[ink]

Originally posted by Tyler McAdams:
I found somebody trying to use an ssh brute forcer on my ssh session in my snort logs.

I see that ALL the time nowadays. They're automated bots looking for low-hanging fruit. Just make sure you have good passwords and no 'guest' accounts.

EDIT: Also, be careful with tcpwrappwers, not all services honor it. ipfw is a better choice.

[P]

Yeah, I have seen that a lot. Disabled sshd myself recently - I don't use it enough to warrant the security risk. Another hint, btw: use non-obvious usernames. Don't ever enable root, www, guest, etc for login.

[[APi]TheMan]

Originally posted by ink:
EDIT: Also, be careful with tcpwrappwers, not all services honor it. ipfw is a better choice.

I use a combination of both. Well, portsentry does, but I've got a script cronned up to text message/e-mail me when it detects failed passwords or illegal login attempts via ssh. I try to at least go check it out at my next convenience.

Originally posted by P:
Yeah, I have seen that a lot. Disabled sshd myself recently - I don't use it enough to warrant the security risk. Another hint, btw: use non-obvious usernames. Don't ever enable root, www, guest, etc for login

I use ssh too often (and scp, which piggybacks on ssh) to disable it, so I just lock it down. There are some simple things that you can do to your /etc/sshd_config file to tighten security, here's one:

Code:
DenyUsers nobody,root,daemon,unknown,smmsp,lp,postfix,www,eppc,mysql,qtss,cyrus,mailman,appserver

My god it's annoying how it breaks that line. But you get the point. If you explicitly deny access to those system users then you'll be just fine. Note: There's also an "AllowUsers" directive as well, which is somewhat more of a pain in the butt depending on your setup. You'd have to remember to add new users to your config whenever you handed out a new shell account (and DenyUsers is more liberal, but works nice for locking out users that you KNOW shouldn't have access).

[P]

Good hint. Thanks, I'll remember that whenever I get around to enabling sshd again. Right now it's not urgent - I can't use SSH from work at the moment because of the firewall settings. One of these days I'll set something up with sshd listing on port 80 - that gets through - but I don't need to right now.

[Tyler McAdams]

That is good... does it matter where I put AllowUsers ?

[[APi]TheMan]

Nope, as long as it's in sshd's config (/etc/sshd_config on Mac OS X). You don't have to restart the daemon either, changes "take place" immediately.

[Tyler McAdams]

Thanks! One mo question...Does any modified line in that config file need the # subtracted out? Is that perl?

[[APi]TheMan]

Yeah, you need to take that "#" out. In most config files those signify a comment.

[galarneau]

I run an OpenBSD server that used to be constantly hammered by these SSH-bots.

Once I changed to port from 22 to something else, the attacks stopped.

[Tyler McAdams]

Originally Posted by [APi]TheMan

Yeah, you need to take that "#" out. In most config files those signify a comment.

That's what I thought.. thanks for all the help!!! the attacks have subsided.