Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Modify Remote Login server to block scripted attacks' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Modify Remote Login server to block scripted attacks
Authored by: wgscott on Feb 11, '05 01:16:30AM
Two more things that can only help are to use TCPwrappers and the IPFW firewall. describes how to get TCPwrappers going. is (uncrippled) shareware that is a nice GUI for IPFW: One security hole I plugged is that I have to connect insecurely to a POP3 server that forced me to send that password in clear text. I made SSH tunnels to solve that problem and described that . HTH someone. My SGIs would get broken into on a regular basis. OS X is more secure than Irix, but nothing is really secure. Thanks for posting this hint. Its importance cannot be over-stated.

[ Reply to This | # ]
Modify Remote Login server to block scripted attacks
Authored by: tinker on Feb 12, '05 02:03:13AM
I actually posted a hint a while back about using TCP wrappers to prevent unauthorized SSH access, while allowing for access from machines with dynamic IP addresses. It's here. Since then I've set up GeekTool to check my system log and display any intrusion attempts that have happened in the last hour. Believe me, there are a lot of them.

Out of curiosity I checked my system logs and found lots of stuff like this:


Feb 11 20:44:41 wfc xinetd[340]: service ssh, IPV6_ADDRFORM setsockopt() failed: Protocol not available (errno = 42)
Feb 11 20:44:41 wfc xinetd[340]: START: ssh pid=5015 from=203.75.172.19
Feb 11 20:44:41 wfc xinetd[5015]: libwrap refused connection to ssh (libwrap=sshd-keygen-wrapper) from 203.75.172.19
Feb 11 20:44:41 wfc xinetd[5015]: FAIL: ssh libwrap from=203.75.172.19
Feb 11 20:51:50 wfc xinetd[340]: service ssh, IPV6_ADDRFORM setsockopt() failed: Protocol not available (errno = 42)
Feb 11 20:51:50 wfc xinetd[340]: START: ssh pid=5582 from=203.75.172.19
Feb 11 20:51:50 wfc xinetd[5582]: libwrap refused connection to ssh (libwrap=sshd-keygen-wrapper) from 203.75.172.19
Feb 11 20:51:50 wfc xinetd[5582]: FAIL: ssh libwrap from=203.75.172.19
Feb 11 22:04:14 wfc xinetd[340]: service ssh, IPV6_ADDRFORM setsockopt() failed: Protocol not available (errno = 42)
Feb 11 22:04:14 wfc xinetd[340]: START: ssh pid=10977 from=195.151.121.132
Feb 11 22:04:14 wfc xinetd[10977]: libwrap refused connection to ssh (libwrap=sshd-keygen-wrapper) from 195.151.121.132
Feb 11 22:04:14 wfc xinetd[10977]: FAIL: ssh libwrap from=195.151.121.132

So, for what it's worth, it's refusing quite a few connections.

I know that this sort of thing is not especially new and that we don't have much to fear from it, but that doesn't mean that we won't have anything to fear from the next SSH exploit. Better safe than sorry.

[ Reply to This | # ]

filter out IPv6 errors
Authored by: gatorparrots on Feb 13, '05 01:40:15PM
You will see this type of error:
Feb 11 20:51:50 wfc xinetd[340]: service ssh, IPV6_ADDRFORM setsockopt() failed: Protocol not available (errno = 42)
If you have edited /etc/hostconfig and set IPV6=-YES- to IPV6=-NO- If this surmisation on my part is correct, you may want to include a line in your GeekTool chain that filters out these errors:
| grep -v "IPV6_ADDRFORM setsockopt() failed: Protocol not available"

[ Reply to This | # ]
Modify Remote Login server to block scripted attacks
Authored by: gorefest on Feb 13, '05 11:36:22AM

you don't need to use a firewall to block certain hosts on ssh.
sshd_conf does it for you also...

DenyUsers *@host


I wish apple would update to openssh 3.9 then you could use
MaxAuthTries to limit the login tries...



[ Reply to This | # ]