Re: Security newbie?

[Rodney Richison <rodney@rcrcomputing.com>]

Art Edwards wrote:

I've been running debian @ home and @ work, for years, had no indication
of attacks. Over the last few days, my iptables firewall seemed simply
to stop. I checked my auth log file to find many, many attempts to break
in. My firewall was very simple. I have since added rules to drop
packets from offending IP addresses. So, I have a couple of very basic
questions:

1. Are there repositories of offending IP addresses to block? Can/should
one contribute to these?

2. The attacks never use the same user name more than once. Is there a
way to block access, even temporarily, from an IP address after a set
number of attempts, even if the attempts use different user names?

3. Are there other obvious things I should be doing?

ssh, by it's design is insecure.  It SHOULD incorporate some means of limiting password attempts. It does not! Using alternate ports can be a pain in the butt as some programs (like webmin "filesystem backup) do not support alternate ports. I suggest 2 methods, fail2ban and a firewall if you must allow password logins. You can set the firewall to allow only certain ip's or ip ranges. But do not get to comfortable with a firewall ONLY  solution. The first time the local firewall goes down, or is taken down and forgotten to re-enable, you'll get compromised. 

Again, the best solution would be for ssh to incorporate a solution, thus if ssh is started, the solution is started... 

 

--
This message has been scanned for viruses and
dangerous content by RCRnet, and is
believed to be clean.