Re: Voluminous SSHd scanning; possible worm activity?

From: Jonathan Bloomquist (bocasolutionsat_private)
Date: Thu Dec 13 2001 - 05:58:52 PST

Next message: Paul Gear: "Re: Voluminous SSHd scanning; possible worm activity?"

Previous message: Neil McKellar: "Re: CodeRed-like FTP worm?"
In reply to: Bertrand Lupart: "Re: Voluminous SSHd scanning; possible worm activity?"
Next in thread: jon schatz: "RE: Voluminous SSHd scanning; possible worm activity?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--- Bertrand Lupart <Bertrand.Lupartat_private> wrote:
> > 	For my own part, on top of upgrading to the
> latest versions of
> > SSHd, I'm recommending that folks utilize IPchains
> or IPFilter to
> > reinforce their explicitly-defined AllowHosts
> directives in sshd_config.
> > These measure in themselves should greatly
> mitigate both the present (and
> > hopefully, future) threat of successful remote
> attack on SSHd. 
> 
> Are we safe if the attack is run from a host not
> listed as accepted in
> access control files, ie:
> 
> /etc/hosts.deny:
> ALL: ALL
> 
> /etc/hosts.allow:
> sshd: www.xxx.yyy.zzz
> 

Only services that are launched using tcpwrappers will
check the /etc/hosts.* files for access permissions.

Your can use tcpdchk to analyze your wrapper config:

%man 8 tcpdchk

       tcpdchk - tcp wrapper configuration checker

SYNOPSYS
       tcpdchk [-a] [-d] [-i inet_conf] [-v]

DESCRIPTION
       tcpdchk   examines  your  tcp  wrapper 
configuration  and reports all potential and real
problems it can  find.  The program   examines  the 
tcpd  access  control  files  (by default, these are
/etc/hosts.allow and  /etc/hosts.deny), and compares
the entries in these files against entries in
the inetd or tlid network configuration files.

tcpdchk reports problems such as  non-existent 
pathnames; services that appear in tcpd access control
rules, but are not controlled  by  tcpd;  services 
that  should  not  be wrapped;  non-existent  host
names or non-internet address forms; occurrences of
host  aliases  instead  of  official host  names; 
hosts with a name/address conflict; inappropriate use
of wildcard patterns; inappropriate use of  NIS
netgroups  or  references  to  non-existent NIS
netgroups; references to non-existent options; invalid
 arguments  to options; and so on.

Where  possible,  tcpdchk provides a helpful
suggestion to fix the problem.

hth

__________________________________________________
Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Paul Gear: "Re: Voluminous SSHd scanning; possible worm activity?"
Previous message: Neil McKellar: "Re: CodeRed-like FTP worm?"
In reply to: Bertrand Lupart: "Re: Voluminous SSHd scanning; possible worm activity?"
Next in thread: jon schatz: "RE: Voluminous SSHd scanning; possible worm activity?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Dec 13 2001 - 12:16:11 PST