Comments on: HowTo: Find SSH Hackers IP’s in a jiffy http://azio.org/2006/10/13/howto-find-ssh-hackers-ips-in-a-jiffy/ return of the men in black Thu, 11 Mar 2010 15:58:54 +0000 http://wordpress.org/?v=2.7.1 hourly 1 By: Techs Or More » HowTo: Find SSH Hackers’ IPs Fast http://azio.org/2006/10/13/howto-find-ssh-hackers-ips-in-a-jiffy/comment-page-1/#comment-7814 Techs Or More » HowTo: Find SSH Hackers’ IPs Fast Tue, 06 Nov 2007 15:42:27 +0000 http://azio.org/2006/10/13/howto-find-ssh-hackers-ips-in-a-jiffy/#comment-7814 [...] read more | digg story [...] [...] read more | digg story [...]

]]> By: krkosska http://azio.org/2006/10/13/howto-find-ssh-hackers-ips-in-a-jiffy/comment-page-1/#comment-55 krkosska Sat, 14 Oct 2006 20:36:20 +0000 http://azio.org/2006/10/13/howto-find-ssh-hackers-ips-in-a-jiffy/#comment-55 I firewall port 22 and use a variant of popauth to open that port to specific users when they successfully check email. Of course, the server doesn't have to accept mail for them... I firewall port 22 and use a variant of popauth to open that port to specific users when they successfully check email. Of course, the server doesn’t have to accept mail for them…

]]> By: Loren http://azio.org/2006/10/13/howto-find-ssh-hackers-ips-in-a-jiffy/comment-page-1/#comment-54 Loren Sat, 14 Oct 2006 17:30:04 +0000 http://azio.org/2006/10/13/howto-find-ssh-hackers-ips-in-a-jiffy/#comment-54 You could also shorten that 'awk' command to: awk '/failed/{print $9}' /var/log/auth.log You could also shorten that ‘awk’ command to:
awk ‘/failed/{print $9}’ /var/log/auth.log

]]> By: James http://azio.org/2006/10/13/howto-find-ssh-hackers-ips-in-a-jiffy/comment-page-1/#comment-53 James Sat, 14 Oct 2006 16:26:33 +0000 http://azio.org/2006/10/13/howto-find-ssh-hackers-ips-in-a-jiffy/#comment-53 Or, a better way is to to strict iptables firewall rules on rate limiting, and/or source/dest and if at all possible implement a port knocker. Example of iptables script that drops new connections after 7 attempts in 30 seconds(this is off memory, sorry if it doesn't work...look @ manpage for more info): iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 7 --name DEFAULT --rsource -j DROP Some articles on port knocking: http://www.ducea.com/2006/07/05/how-to-safely-connect-from-anywhere-to-your-closed-linux-firewall/ http://gentoo-wiki.com/HOWTO_autossh_and_knockd Or, a better way is to to strict iptables firewall rules on rate limiting, and/or source/dest and if at all possible implement a port knocker.

Example of iptables script that drops new connections after 7 attempts in 30 seconds(this is off memory, sorry if it doesn’t work…look @ manpage for more info):
iptables -A INPUT -p tcp -m tcp –dport 22 -m state –state NEW -m recent –set –name DEFAULT –rsource
iptables -A INPUT -p tcp -m tcp –dport 22 -m state –state NEW -m recent –update –seconds 30 –hitcount 7 –name DEFAULT –rsource -j DROP

Some articles on port knocking:
http://www.ducea.com/2006/07/05/how-to-safely-connect-from-anywhere-to-your-closed-linux-firewall/
http://gentoo-wiki.com/HOWTO_autossh_and_knockd

]]> By: harl http://azio.org/2006/10/13/howto-find-ssh-hackers-ips-in-a-jiffy/comment-page-1/#comment-51 harl Sat, 14 Oct 2006 13:39:02 +0000 http://azio.org/2006/10/13/howto-find-ssh-hackers-ips-in-a-jiffy/#comment-51 Have a look at denyhosts and forget about it: http://denyhosts.sourceforge.net/ Works out-of-the-box for most distributions. Have a look at denyhosts and forget about it: http://denyhosts.sourceforge.net/

Works out-of-the-box for most distributions.

]]> By: converter http://azio.org/2006/10/13/howto-find-ssh-hackers-ips-in-a-jiffy/comment-page-1/#comment-49 converter Sat, 14 Oct 2006 12:18:43 +0000 http://azio.org/2006/10/13/howto-find-ssh-hackers-ips-in-a-jiffy/#comment-49 Five point penalty for unnecessary use of cat. :) zegrep refused auth.log* cat(1) is for concatenating text files: cat file1 file2 file3 > file4 and etc. Most of the standard unix text processing utilities will open and read from one or more files passed on the command line (just like cat does), iterating over their lines as if they were a single file. What's the point? Even though the time and energy I've just devoted to this post may suggest otherwise, I hate unnecessary typing, and one less cat process means slightly lower resource usage. Five point penalty for unnecessary use of cat. :)

zegrep refused auth.log*

cat(1) is for concatenating text files:

cat file1 file2 file3 > file4

and etc.

Most of the standard unix text processing utilities will open and read from one or more files passed on the command line (just like cat does), iterating over their lines as if they were a single file.

What’s the point? Even though the time and energy I’ve just devoted to this post may suggest otherwise, I hate unnecessary typing, and one less cat process means slightly lower resource usage.

]]> By: Lizer http://azio.org/2006/10/13/howto-find-ssh-hackers-ips-in-a-jiffy/comment-page-1/#comment-48 Lizer Sat, 14 Oct 2006 10:10:25 +0000 http://azio.org/2006/10/13/howto-find-ssh-hackers-ips-in-a-jiffy/#comment-48 I wrote two scripts that do something similar some time ago: http://lizer.syslinx.org/temporary/failog http://lizer.syslinx.org/temporary/lognames Usage: zcat /var/log/authlog*gz | cat - /var/log/authlog | ./failog [date|host] Counts the failed logins grouped by date/attacker ip. zcat /var/log/authlog*gz | cat - /var/log/authlog | ./lognames Lists the login names and how often each has tried. I wrote two scripts that do something similar some time ago:

http://lizer.syslinx.org/temporary/failog
http://lizer.syslinx.org/temporary/lognames

Usage:
zcat /var/log/authlog*gz | cat - /var/log/authlog | ./failog [date|host]
Counts the failed logins grouped by date/attacker ip.

zcat /var/log/authlog*gz | cat - /var/log/authlog | ./lognames
Lists the login names and how often each has tried.

]]> By: Icheb http://azio.org/2006/10/13/howto-find-ssh-hackers-ips-in-a-jiffy/comment-page-1/#comment-46 Icheb Sat, 14 Oct 2006 09:10:30 +0000 http://azio.org/2006/10/13/howto-find-ssh-hackers-ips-in-a-jiffy/#comment-46 You can find a script capable of adding iptables entries for found ssh attacks at http://blinkeye.ch/mediawiki/index.php/SSH_Blocking. I've used this on a few hosts, it's relatively easy to install, although you sometimes have to change the detection a bit (find another word, ip address being just another word...). But it runs very well ;). Furthermore you can also change your SSH port if you hate receiving large logwatch e-mails, or you can deinstall logwatch... You can find a script capable of adding iptables entries for found ssh attacks at http://blinkeye.ch/mediawiki/index.php/SSH_Blocking.

I’ve used this on a few hosts, it’s relatively easy to install, although you sometimes have to change the detection a bit (find another word, ip address being just another word…). But it runs very well ;).

Furthermore you can also change your SSH port if you hate receiving large logwatch e-mails, or you can deinstall logwatch…

]]> By: aaron http://azio.org/2006/10/13/howto-find-ssh-hackers-ips-in-a-jiffy/comment-page-1/#comment-45 aaron Sat, 14 Oct 2006 08:36:21 +0000 http://azio.org/2006/10/13/howto-find-ssh-hackers-ips-in-a-jiffy/#comment-45 Neat article. Try DenyHosts, it basically does the same thing but automatically forwards all sshd hackers to your hosts.deny file. See http://denyhosts.sourceforge.net/ Neat article. Try DenyHosts, it basically does the same thing but automatically forwards all sshd hackers to your hosts.deny file. See http://denyhosts.sourceforge.net/

]]> By: Christian http://azio.org/2006/10/13/howto-find-ssh-hackers-ips-in-a-jiffy/comment-page-1/#comment-44 Christian Sat, 14 Oct 2006 08:08:00 +0000 http://azio.org/2006/10/13/howto-find-ssh-hackers-ips-in-a-jiffy/#comment-44 Funny that "root" isn't in the list. That's the account I'd go for... :> Funny that “root” isn’t in the list. That’s the account I’d go for… :>

]]>