SANS Top 20 updated
SANS has relased their spring 2006 top 20 list. After reading through this list, I would say that it accurately reflects many of the recent threats we've seen or expect to see. For those of you who run web-based applications, especially PHP content management systems, take note of the information listed under "Web Applications" in the "Cross Platform Applications" section.
Using TCP Wrappers with SSH
If you are running a server or workstation that runs an ssh server, you may have noticed that your logs fill up with failed authentication attempts from hosts that you have never heard of. These attacks usually consist of tens to thousands of attempts to login using various usernames and passwords. These SSH enumeration attacks are geared at obtaining access to systems by guessing weak user passwords, or by using widely known default account/passwords that administrators or users never change.
To protect against these types of attacks, the STEAM-CIRT recommends that you block access to your ssh server from any host which you would not expect to make valid login attempts. One of the ways you can do this on most UNIX and Linux hosts is by setting simple access rules for SSH using tcpwrappers . The following is an example of restricting access to your SSH daemon to only the IPs you want to access the SSH service. For more information on configurating tcpwrappers, see your local manpages.
#TCP Wrappers honors the first rule it matches, so list all
#valid hosts first!
#allow access from any host on the 172.16.23/24 subnet
sshd : 172.16.23. : allow
#allow access from the host 172.16.24.5
sshd : 172.16.24.5 : allow
#DENY access to everyone else
sshd : ALL : deny
Posted by Matthew Wirges on May 02, 2006, in Handlers Log.