Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)

[Karsten Dambekalns <Karsten@k-fish.de>]

Hi.

Thanks for your reply!

Another question came up here. Is it really likely to be a SSH brute force 
break in, or could the attacker have been able to log in some other way? What 
is currently possible in that respect on a machien that runs ssh, apache, 
php, exim and nothing else (all as of Debian 3.1)?

On Thursday 21 July 2005 22:51, Thomas Sjögren wrote:
> > Are pwgen-passwords with 8 chars, containing upper/lower case and numbers
> > really that insecure?
>
> Good initial passwords doesn't really protect anything if the user are
> able to change the password into a really crappy one. Consider using
> libpam-passwdqc.

Well, the regular users (5 on that machine) couldn't change their passwords, 
plus the second hack happened after those had been changed (by me) but not 
yet handed out. So...

> . Use iptables to block everything, and allow only what's needed
> . Set Allow{Users,Group} for ssh

But those two don't seem to make too much sense - correct me if I'm wrong. 
iptables cannot block pots on which nothing is listening, and they cannot 
block something that must be reachable. The same essentially goes for the 
sshd options. Or am I asuming the wrongs things, and missing others?

Karsten
-- 
This email is ROT26 encrypted, by reading it you are in violation of the
DMCA, and should turn yourself in to the authorities immediately.
                                                           (Chris Berry)