Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Modify Remote Login server to block scripted attacks' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Modify Remote Login server to block scripted attacks
Authored by: tinker on Feb 12, '05 02:03:13AM
I actually posted a hint a while back about using TCP wrappers to prevent unauthorized SSH access, while allowing for access from machines with dynamic IP addresses. It's here. Since then I've set up GeekTool to check my system log and display any intrusion attempts that have happened in the last hour. Believe me, there are a lot of them.

Out of curiosity I checked my system logs and found lots of stuff like this:


Feb 11 20:44:41 wfc xinetd[340]: service ssh, IPV6_ADDRFORM setsockopt() failed: Protocol not available (errno = 42)
Feb 11 20:44:41 wfc xinetd[340]: START: ssh pid=5015 from=203.75.172.19
Feb 11 20:44:41 wfc xinetd[5015]: libwrap refused connection to ssh (libwrap=sshd-keygen-wrapper) from 203.75.172.19
Feb 11 20:44:41 wfc xinetd[5015]: FAIL: ssh libwrap from=203.75.172.19
Feb 11 20:51:50 wfc xinetd[340]: service ssh, IPV6_ADDRFORM setsockopt() failed: Protocol not available (errno = 42)
Feb 11 20:51:50 wfc xinetd[340]: START: ssh pid=5582 from=203.75.172.19
Feb 11 20:51:50 wfc xinetd[5582]: libwrap refused connection to ssh (libwrap=sshd-keygen-wrapper) from 203.75.172.19
Feb 11 20:51:50 wfc xinetd[5582]: FAIL: ssh libwrap from=203.75.172.19
Feb 11 22:04:14 wfc xinetd[340]: service ssh, IPV6_ADDRFORM setsockopt() failed: Protocol not available (errno = 42)
Feb 11 22:04:14 wfc xinetd[340]: START: ssh pid=10977 from=195.151.121.132
Feb 11 22:04:14 wfc xinetd[10977]: libwrap refused connection to ssh (libwrap=sshd-keygen-wrapper) from 195.151.121.132
Feb 11 22:04:14 wfc xinetd[10977]: FAIL: ssh libwrap from=195.151.121.132

So, for what it's worth, it's refusing quite a few connections.

I know that this sort of thing is not especially new and that we don't have much to fear from it, but that doesn't mean that we won't have anything to fear from the next SSH exploit. Better safe than sorry.

[ Reply to This | # ]

filter out IPv6 errors
Authored by: gatorparrots on Feb 13, '05 01:40:15PM
You will see this type of error:
Feb 11 20:51:50 wfc xinetd[340]: service ssh, IPV6_ADDRFORM setsockopt() failed: Protocol not available (errno = 42)
If you have edited /etc/hostconfig and set IPV6=-YES- to IPV6=-NO- If this surmisation on my part is correct, you may want to include a line in your GeekTool chain that filters out these errors:
| grep -v "IPV6_ADDRFORM setsockopt() failed: Protocol not available"

[ Reply to This | # ]