[olug] attempted attacks

Tue Mar 8 18:58:53 UTC 2005

looks like the only thing missing is Snort-Inline


On Tue, 2005-03-08 at 10:27 -0800, Eric Lusk wrote:

> I already have all unnecessary services disabled
> and/or firewalled, really only running http and ssh. 
> This alone should significantly improve the overall
> security.  No one has admin access except me, and then
> no administrator can log in remotely; they have to log
> in as a user and then su from there.  So I'm already
> pretty tight.  At this point, I even set user
> passwords, and inform the user when I change them.
> Yes, I AM anal retentive. :)
> Bottom line, I may add in some additional steps to
> keep people out, but with how I'm set up, it sounds
> like I'm pretty safe (obviously safer than many users,
> who would already have had their system broken into by
> this bot).
> I'm just thinking about getting MORE anal than I am,
> knowing security is not optional, it's necessary.
> --- Sean Kelly <smkelly at zombie.org> wrote:
> > On Tue, Mar 08, 2005 at 09:26:41AM -0800, Eric Lusk
> > wrote:
> > > yeah, I'm checking into several possibilities;
> > just
> > > have the inability to log in as root, and setting
> > a
> > > limit on login attempts is enough to deter most
> > > automated systems, at least.
> > > Anyone doing the attempts live is really bored. 
> > I'll
> > > change usernames to non-standard names, I noticed
> > the
> > > attempts were using common names to log in, like
> > adam,
> > > etc.  So even adding numbers or using hackerspeak
> > on
> > > usernames will greatly reduce the chance of an
> > > automated system getting in.  That, and making
> > sure no
> > > one is using anything like a real word for a
> > password.
> > >  (if you can guess my password, and then su as
> > root, I
> > > must simply congratulate you).
> > 
> > Forcing users to change usernames and learning how
> > to use SSH on a
> > non-standard port is not always a good solution.
> > Security through obscurity
> > is only a weak form of covering one's ass.
> > 
> > The real trick is to deploy secure systems that use
> > secure products with
> > secure authentication. Noticing the pattern?
> > "Secure."
> > 
> > Depending on the skill level of the users on the
> > machine, you might
> > consider using keys as an alternative to forcing
> > username changes. In the
> > FreeBSD cluster, we're required to send admins@ a
> > SSH public key, and then
> > we use that key and the associated passphrase to
> > login to any machine in
> > the cluster. Standard passwords are not supported.
> > As users, we can change
> > our key once logged in by uploading a new one, or we
> > can e-mail a new one
> > to admins@ with sufficient proof of who we are.
> > 
> > As some others have already covered, you may also
> > consider the use of a
> > firewall. On several of my machines, I maintain an
> > ACL with lists of IPs
> > and netmasks for each user on the system. Only
> > matching IPs can access some
> > services on the machines.
> > 
> > Another approach is to ignore it. Yes, ignore it.
> > Shut down all the
> > services you don't really need (finger, RPCs, FTP,
> > telnet, ...). Secure the
> > ones you do need either via SSH tunnelling with
> > keys, firewall, or just by
> > using decent software and being fairly diligent at
> > keeping it up to date.
> > Then, just ignore all the noise in syslog from
> > automated crap banging on
> > your machine.
> > 
> > -- 
> > Sean Kelly         | PGP KeyID: D2E5E296
> > smkelly at zombie.org | http://www.zombie.org
> > _______________________________________________
> > OLUG mailing list
> > OLUG at olug.org
> > http://lists.olug.org/mailman/listinfo/olug
> > 
> 
> http://www.ericshaus.com
> Alcohol and Calculus don't mix.  Never drink and derive.
> 
> 
> 	
> 		
> __________________________________ 
> Celebrate Yahoo!'s 10th Birthday! 
> Yahoo! Netrospective: 100 Moments of the Web 
> http://birthday.yahoo.com/netrospective/
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> http://lists.olug.org/mailman/listinfo/olug