[olug] attempted attacks

Eric Lusk wyrmzr72 at yahoo.com
Tue Mar 8 19:06:17 UTC 2005 

Sounds like a plan.  The one limit I do have with
security is the O/S is on a 1.6GB hard drive, which is
also why I keep the number of services down.  So a lot
of added software would be bad.  Editing pre-existing
settings is certainly no problem; you get 3 tries to
log in and that's it, so guessing passwords for actual
users is difficult unless they're doing something
stupid like using "password" as their password :)
--- Jaymz Ringler <jringler at unitedtransport.net>
wrote:

> looks like the only thing missing is Snort-Inline
> 
> 
> On Tue, 2005-03-08 at 10:27 -0800, Eric Lusk wrote:
> 
> > I already have all unnecessary services disabled
> > and/or firewalled, really only running http and
> ssh. 
> > This alone should significantly improve the
> overall
> > security.  No one has admin access except me, and
> then
> > no administrator can log in remotely; they have to
> log
> > in as a user and then su from there.  So I'm
> already
> > pretty tight.  At this point, I even set user
> > passwords, and inform the user when I change them.
> > Yes, I AM anal retentive. :)
> > Bottom line, I may add in some additional steps to
> > keep people out, but with how I'm set up, it
> sounds
> > like I'm pretty safe (obviously safer than many
> users,
> > who would already have had their system broken
> into by
> > this bot).
> > I'm just thinking about getting MORE anal than I
> am,
> > knowing security is not optional, it's necessary.
> > --- Sean Kelly <smkelly at zombie.org> wrote:
> > > On Tue, Mar 08, 2005 at 09:26:41AM -0800, Eric
> Lusk
> > > wrote:
> > > > yeah, I'm checking into several possibilities;
> > > just
> > > > have the inability to log in as root, and
> setting
> > > a
> > > > limit on login attempts is enough to deter
> most
> > > > automated systems, at least.
> > > > Anyone doing the attempts live is really
> bored. 
> > > I'll
> > > > change usernames to non-standard names, I
> noticed
> > > the
> > > > attempts were using common names to log in,
> like
> > > adam,
> > > > etc.  So even adding numbers or using
> hackerspeak
> > > on
> > > > usernames will greatly reduce the chance of an
> > > > automated system getting in.  That, and making
> > > sure no
> > > > one is using anything like a real word for a
> > > password.
> > > >  (if you can guess my password, and then su as
> > > root, I
> > > > must simply congratulate you).
> > > 
> > > Forcing users to change usernames and learning
> how
> > > to use SSH on a
> > > non-standard port is not always a good solution.
> > > Security through obscurity
> > > is only a weak form of covering one's ass.
> > > 
> > > The real trick is to deploy secure systems that
> use
> > > secure products with
> > > secure authentication. Noticing the pattern?
> > > "Secure."
> > > 
> > > Depending on the skill level of the users on the
> > > machine, you might
> > > consider using keys as an alternative to forcing
> > > username changes. In the
> > > FreeBSD cluster, we're required to send admins@
> a
> > > SSH public key, and then
> > > we use that key and the associated passphrase to
> > > login to any machine in
> > > the cluster. Standard passwords are not
> supported.
> > > As users, we can change
> > > our key once logged in by uploading a new one,
> or we
> > > can e-mail a new one
> > > to admins@ with sufficient proof of who we are.
> > > 
> > > As some others have already covered, you may
> also
> > > consider the use of a
> > > firewall. On several of my machines, I maintain
> an
> > > ACL with lists of IPs
> > > and netmasks for each user on the system. Only
> > > matching IPs can access some
> > > services on the machines.
> > > 
> > > Another approach is to ignore it. Yes, ignore
> it.
> > > Shut down all the
> > > services you don't really need (finger, RPCs,
> FTP,
> > > telnet, ...). Secure the
> > > ones you do need either via SSH tunnelling with
> > > keys, firewall, or just by
> > > using decent software and being fairly diligent
> at
> > > keeping it up to date.
> > > Then, just ignore all the noise in syslog from
> > > automated crap banging on
> > > your machine.
> > > 
> > > -- 
> > > Sean Kelly         | PGP KeyID: D2E5E296
> > > smkelly at zombie.org | http://www.zombie.org
> > > _______________________________________________
> > > OLUG mailing list
> > > OLUG at olug.org
> > > http://lists.olug.org/mailman/listinfo/olug
> > > 
> > 
> > http://www.ericshaus.com
> > Alcohol and Calculus don't mix.  Never drink and
> derive.
> > 
> > 
> > 	
> > 		
> > __________________________________ 
> > Celebrate Yahoo!'s 10th Birthday! 
> > Yahoo! Netrospective: 100 Moments of the Web 
> > http://birthday.yahoo.com/netrospective/
> > _______________________________________________
> > OLUG mailing list
> > OLUG at olug.org
> > http://lists.olug.org/mailman/listinfo/olug
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> http://lists.olug.org/mailman/listinfo/olug
> 


http://www.ericshaus.com
Alcohol and Calculus don't mix.  Never drink and derive.


	
		
__________________________________ 
Celebrate Yahoo!'s 10th Birthday! 
Yahoo! Netrospective: 100 Moments of the Web 
http://birthday.yahoo.com/netrospective/

More information about the OLUG mailing list