Loading ...
Sorry, an error occurred while loading the content.

Re: attacked linkstation

Expand Messages
  • haberschnasel
    ... Yes, a ssh brute force tool seems to have been published lately. I use dropbear as ssh replacement. There is this issue now: Security update 11 Dec 2005:
    Message 1 of 5 , Jan 3, 2006
    • 0 Attachment
      --- In LinkStation_General@yahoogroups.com, "michael_harper75"
      <cain171562@g...> wrote:
      >
      > I was just reading some logs and i found out that somebody from the IP
      > 210.202.54.11 was trying to brute force ssh into my linkstation. I
      > was wondering what i could do send a message. Nmap reveals his ftp
      > and ssh ports are open as well. My password is pretty strong but, I
      > dont like it.
      >

      Yes, a ssh brute force tool seems to have been published lately.

      I use dropbear as ssh replacement. There is this issue now:
      Security update 11 Dec 2005: Dropbear server versions prior to 0.47
      have a buffer sizing error that may allow authenticated users to run
      code as the server user (usually root). All users are advised to
      upgrade or apply a patch.
      http://matt.ucc.asn.au/dropbear/dropbear.html

      So once they are in as user...

      Best h.
    • Mlehrer
      Here is my solution... http://denyhosts.sourceforge.net/
      Message 2 of 5 , Jan 3, 2006
      • 0 Attachment
        Here is my solution...

        http://denyhosts.sourceforge.net/

        --- In LinkStation_General@yahoogroups.com, "michael_harper75"
        <cain171562@g...> wrote:
        >
        > I was just reading some logs and i found out that somebody from the IP
        > 210.202.54.11 was trying to brute force ssh into my linkstation. I
        > was wondering what i could do send a message. Nmap reveals his ftp
        > and ssh ports are open as well. My password is pretty strong but, I
        > dont like it.
        >
      • James Stewart
        ... I installed blockhosts from http://www.aczoom.com/cms/blockhosts on mine which uses TCP wrappers to monitor and ban attackers. The problem is that I
        Message 3 of 5 , Jan 3, 2006
        • 0 Attachment
          --- In LinkStation_General@yahoogroups.com, "michael_harper75"
          <cain171562@g...> wrote:
          >
          > I was just reading some logs and i found out that somebody from the IP
          > 210.202.54.11 was trying to brute force ssh into my linkstation. I
          > was wondering what i could do send a message. Nmap reveals his ftp
          > and ssh ports are open as well. My password is pretty strong but, I
          > dont like it.
          >

          I installed "blockhosts" from http://www.aczoom.com/cms/blockhosts on
          mine which uses TCP wrappers to monitor and ban attackers. The
          problem is that I don't have it working correctly yet. Perhaps you
          might take a look at it and/or work with the Author on it. In my case
          blockhosts seems to leave its "lock" file in place, and perhaps its
          SSH-log search string doesn't match the one my version of SSH put into
          the "auth" log.
        • Arias Hung
          ... You might wanna consider running ssh (or dropbear) on an unconventional port as well as port 22 imo is too conspicuous. I have dropbear, for
          Message 4 of 5 , Jan 4, 2006
          • 0 Attachment
            On Tue, 03 Jan 2006, michael_harper75 delivered in simple text monotype:

            >I was just reading some logs and i found out that somebody from the IP
            >210.202.54.11 was trying to brute force ssh into my linkstation. I
            >was wondering what i could do send a message. Nmap reveals his ftp
            >and ssh ports are open as well. My password is pretty strong but, I
            >dont like it.
            <---snip--->

            You might wanna consider running ssh (or dropbear) on an unconventional port as well as port 22 imo is too conspicuous.

            I have dropbear, for instance running on 50,482. Not that anyone that's scanning on all 60,000 ports will necessarily miss it, but most do.
          Your message has been successfully submitted and would be delivered to recipients shortly.