[mythtv-users] ssh attack

Korey Fort k.m.fort at gmail.com
Sun Jan 1 11:27:47 EST 2006


-----Original Message-----
From: mythtv-users-bounces at mythtv.org
[mailto:mythtv-users-bounces at mythtv.org] On Behalf Of Michael Starks
Sent: Sunday, January 01, 2006 10:06 AM
To: Discussion about mythtv
Subject: Re: [mythtv-users] ssh attack

chris at cpr.homelinux.net wrote:

>You've missed the point.  These types of packages don't look for
>multiple attempts at a single user name.  They simply watch the auth
>logs and match failures to IPs.  Once an IP has accumulated a certain
>number of failures within a specified time period, that IP address is
>temporarily added to a firewall table to block all further connections.
>In your case, root/root is the first failure, mythtv/mythtv is the
>second failure, etc.
>
>I use fail2ban to do the same thing.  It's highly configurable so you
>can adjust the rules to match almost any kind of log file.
>  
>
If the attacker uses a spoofed source IP of localhost, the server's IP,
a configured DNS server, the Zap2it web site(s) or some other needed IP,
that would be an effective DoS.  If the intent is a DoS of some sort
rather than an interactive login, the reply to the SSH SYN is not
necessary.  Are there any provisions in these tools to protect against
these types of spoofing attacks?
_______________________________________________
mythtv-users mailing list
mythtv-users at mythtv.org
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users

With DenyHost I'm pretty sure you can set the IP's that it is not to not
block. DenyHost blocks ssh for an IP by default when there is a lot of
failures to login. It can be changed to block 'all' though on failures.  So
you'll still be able to see the website, and you can ssh out to that box,
but it can't ssh to you.

"Let ye without segmentation fault cast the first int!"

Korey Fort



More information about the mythtv-users mailing list