posted to this is not a weblog on wednesday, march 30th, 2005
tagged nerd, openbsd, and never commented on
tagged nerd, openbsd, and never commented on
so about those ssh brute force attacks, i actually took the time to look at the packets they were sending and they identify themselves as a "SSH-2.0-libssh-0.1" client. i don't know anything useful that actually uses libssh, so i just added a line to sshd's compat.c to treat them as probes:
Index: compat.c
===================================================================
RCS file: /mirror/anoncvs/cvs/src/usr.bin/ssh/compat.c,v
retrieving revision 1.71
diff -u -r1.71 compat.c
--- compat.c 1 Mar 2005 10:09:52 -0000 1.71
+++ compat.c 29 Mar 2005 17:29:10 -0000
@@ -153,6 +153,8 @@
SSHBUG_SCANNER },
{ "Probe-*",
SSHBUG_PROBE },
+ { "libssh-0.1*",
+ SSHBUG_PROBE },
{ NULL, 0 }
};
so now instead of this for every probe:
sshd[22380]: Illegal user guest from 211.147.225.104 sshd[10672]: input_userauth_request: illegal user guest sshd[10672]: Failed password for illegal user guest from 211.147.225.104 port 58555 ssh2 sshd[22380]: Failed password for illegal user guest from 211.147.225.104 port 58555 ssh2 sshd[10672]: Received disconnect from 211.147.225.104: 11: Bye Bye
they are dropped before they try to authenticate:
sshd[27362]: probed from 211.60.219.131 with SSH-2.0-libssh-0.1. Don't panic.
leave the first comment
or contact me