[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSH attack

On Mon, 03 Oct 2005 19:44:38 -0400
Gene Heskett <gene.heskett@verizon.net> wrote:

> Somebody mentioned portsentry, and I don't know why so many admins
> seem to hate it.  I've been running it here for probably 6-7 years,
> and its automaticly dropped lots of connection attempts back when I

And portsenty is simple enought to set up so that the first bad attempt
gets the IP locked out. Maybe at some future time, you'll make it
OK for that IP to access your system, that's up to you. After all, some 
IPs tend to get recycled.

I wonder why it's missing (but not hard to find) on some Linux
distributions. Mandriva/Mandrake used to include it, but it got dropped.

> was using dialup on ppp.  But now I've a dsl connection, with a
> router between the modem and the firewall, the firewall is 2 nics
> with iptables between them.  In 3 years+ of dsl, I've been hit 3

I've been hit a few times as well - had this ip here since Dec 2000
(dsl) which is not too bad. I found portsentry (once I discovered it,
and how it would fix things) invaluable when the slapper vairants were
in vogue. Once I came to my system, and found that internet activity
was severely impaired - thanks to all the funny stuff going on, I could
barely get enough bandwidth to load up a web page. Once I figured out
what was going on, I employed portsentry -- it stopped all that stuff
in a few minutes.

The other two times - was running a less than secure redhat system,
someone telnetted in (hate telnet) and was able to get through a
backdoor (insecure password on one of the admin "users"). The other
time was through a security hole in one of the smtp related apache
services. That one took a little while to recover from - basically some
persons unknown had used the exploit to use my box to send spam & they
did it using obscenely long www addresses to do it.

One thing - check logs. Any big increase in log size is a  clue that
something fishy is going on. I noticed the activity first by seemingly
high activity on /dev/eth0 as reported by gkrellm -- after all, I
wasn't doing much of anything, no ftp, no big mail downloads, etc., yet
the meter was being pinged. But the real clue was an auth.log.0 of >1.2
megabytes, where typically it's a couple of K.

> times hard enough to make it to the logs, and 2 of them

David E. Fox                              Thanks for letting me
dfox@tsoft.com                            change magnetic patterns
dfox@m206-157.dsl.tsoft.com               on your hard disk.

Reply to: