[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] SSH EXPLOIT IN THE WILD

On Thursday 18 September 2003 07:23, Frank Svoboda wrote:
> Hi!
>
> >Or you could install the following script in /usr/local/etc/secnotes, make
> > it executable, (chmod 750 /usr/local/etc/secnotes) then change your
> > hosts.allow and/or hosts.deny lines to:
> >
> >sshd: ALL : spawn /usr/local/etc/secnotes "%a+%A+%c+%d+%h+%H+%s+%u" &
>
> Great script, works fine!
>
> But just one small question: If I put this in my hosts.allow - it
> means that everyone can connect to my ssh. If I don't put this in
> everyone is allowed, too - eh?!
>
> Other way: I'm not unsecuring my server after adding this?!
>
> Regards, Frank

Frank, et all...

  Yes, it you put this "as is" (eg sshd: ALL: spawn ...) in your hosts.allow 
you are ALLOWING all ssh connections. (no entry in either hosts.allow or 
hosts.deny also means allow all)

  Highly recommend changing the ALL to specific IP addresses/ranges in the 
hosts.allow file, then use the ALL format in the hosts.deny to deny 
everything else (in other words allow only those you know/trust, then deny 
everything else).

NOTE 1:, please do _not_ try something like "ALL : ALL : spawn ...." as an 
attempt to track all connections to the box in question.  You will hose 
yourself quite quickly and fill your mailbox.

NOTE 2:  please be aware that if your box hosts 14 IP addresses, and you get 
"probed" for ssh connections, you will get 14 emails (one for each 
IP/connection attempt).  I have times that I will get 20 to over a 100 emails 
from a box letting me "know" someone is playing.  Gives me the chance to null 
route them and/or report them to their ISP - but the number of emails can get 
border-line anonying.  I just prefer the email to that deadly silence and not 
knowing.....

-- 
Larry Smith
SysAd ECSIS.NET
sysad@xxxxxxxxx