[PLUG] [Q] sshd restrict IP

alan alan at clueserver.org
Mon Aug 2 12:35:03 UTC 2004


On Mon, 2 Aug 2004, Roderick A. Anderson wrote:

> I have got some little twits knocking on the door of one of my servers 
> trying to make ssh connections.  It is irritating as all hell seeing the 
> attempts in my system/security logs so I figured after I report them to
> the company where the IPs look to be from I'd like to just not even give 
> them an answer when they knock.  I know I can do this using iptables and 
> friends but I'd prefer in these few instances to do it (hopefully) using 
> sshd configurations. 

This is a script.  There has been a lot of noise on the security lists 
about it.  They are looking for stupid username/password combinations.  
(For the moment.)  If they get in, they root the server via a couple of 
receint kernel exploits.  It appears they are using compromised servers 
for the attacks.

You will want to inform the holders of the ip addresses that they may have 
a compromised server.

As for local solutions, you should be able to restrict access to sshd via 
/etc/hosts.allow and /etc/hosts.deny.  Unless, of course, your users are 
coming from non-fixed-ip addresses in the first place...





More information about the PLUG mailing list