Re: repeated ssh login attempts/failure/break-in attempts from kiddy script
- From: Paul Schmehl <pauls@xxxxxxxxxxxx>
- Date: Fri, 31 Mar 2006 09:53:34 -0600
--On Friday, March 31, 2006 08:42:30 -0500 Nathan Vidican <nvidican@xxxxxxxxx> wrote:
Noted recently in auth.log, a string of connection attemptsOthers have offered various solutions, but I think it's worth saying - when you connect to the internet, regardless of what OS or hardware you're running, you're going to be attacked 24/7. That's the nature of the internet. There's not a damn thing you can do about that. If you have the option of moving services to odd ports, then that provides an easy solution. Many people don't have that option.
repeated/failed over and over from one host - looks like a script
someone's running, tries all kinds of various usernames, etc... attempts
like 100-200 logins, fails and goes away.
Few hours go by, and another such attempt, from a different IP comes in.
If I'm here and just happen to notice them - simple ipfw add deny... does
the trick, but is there not a way to limit the login attempts for a
certain period of time?
However, by moving ssh to a different port, you aren't eliminating the problem - merely your knowledge of it. The attacks are still taking place. The service is no longer listening there. These attacks should be a warning to you. ALL the services on your box are being attacked 24/7. There are no exceptions.
What can you do?
Keep your box patched ALWAYS. OS is irrelevant. They ALL get broken into. (You name the OS - I've seen one hacked - RedHat, Debian, Slackware, Solaris, Mac OS X, it doesn't matter.)
NEVER run ANY unnecessary services. I haven't enabled inetd in so long I don't remember what's in it, but it's amazing how many boxes are still running chargen, rpc.statd and a host of other services that are completely unnecessary (not to mention that few even know what they do anymore.)
Restrict access to only those who should have access - by service and by needed access.
NEVER share your password with anyone, and use passwords that contain all four types of characters; lower case and upper case alpha, numeric and special. An eight character random alpha password can be cracked in less than an hour on a modern computer, so encryption is not enough.
Don't run inherently insecurely designed daemons. The first thing I do on every FreeBSD box I set up is disable sendmail and install postfix.
Run portaudit. Then you'll know about vulnerabilities immediately, and you can portupgrade to fix the problem.
Run a firewall, if you can. Incoming should be blocked by default except for allowed services.
Being secure and staying secure is your responsibility.
Paul Schmehl (pauls@xxxxxxxxxxxx)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
- References:
- repeated ssh login attempts/failure/break-in attempts from kiddy script
- From: Nathan Vidican
- repeated ssh login attempts/failure/break-in attempts from kiddy script
- Prev by Date: RE: ssh session hangs when term is flooded with text.
- Next by Date: how can I lock a directory with chflags schg ?
- Previous by thread: RE: repeated ssh login attempts/failure/break-in attempts from kiddy script
- Next by thread: Re: repeated ssh login attempts/failure/break-in attempts from kiddy script
- Index(es):
Relevant Pages
|
