stopping C2 security account lockout on root via SSH

From: Mike Broderick (mikebroderick@gmail.com)
Date: Wed Jan 26 2005 - 20:40:29 EST

• Next message: Dr. Martin Körfer: "rsync-question"
• Previous message: Hunt Robert: "Unknown Messages."
• Next in thread: Mike Broderick: "SUMMARY: stopping C2 security account lockout on root via SSH"
• Reply: Mike Broderick: "SUMMARY: stopping C2 security account lockout on root via SSH"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I have a couple Tru64 boxes (4.0f and 5.1b) both using C2 security
that get occasional root login attacks via SSH. These attacks (3000
hits on root last time) cause the root account to get locked. I tried
disabling root logins from SSH with "PerminRootLogins no" (in
sshd_config) but I still see failed attempts logged in the auth db
(u_numunsuclog for root user increments). I then tried adding
"DenyUsers root" too which seems to work on the 4.0f system but not on
5.1b. I do get an "invalid user" error in the auth.log in both but on
5.1b u_numunsuclog still increments.

The Tru64 delivered ssh is not beig used, but rather a version of
OpenSSH manually downloaded/built. (4.0f has OpenSSH 3.1p1 and 5.1b
has 3.7.1p2) The 5.1b system was just upgraded from 5.1a to 5.1b.

                                                                      
             _Mike

• Next message: Dr. Martin Körfer: "rsync-question"
• Previous message: Hunt Robert: "Unknown Messages."
• Next in thread: Mike Broderick: "SUMMARY: stopping C2 security account lockout on root via SSH"
• Reply: Mike Broderick: "SUMMARY: stopping C2 security account lockout on root via SSH"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:50:14 EDT