From owner-freebsd-questions@FreeBSD.ORG Thu Oct 28 19:36:55 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04EC316A4CE for ; Thu, 28 Oct 2004 19:36:55 +0000 (GMT) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id D6D7843D3F for ; Thu, 28 Oct 2004 19:36:52 +0000 (GMT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) i9SJaf8n047108 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 28 Oct 2004 20:36:41 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)i9SJaeAe047107; Thu, 28 Oct 2004 20:36:40 +0100 (BST) (envelope-from matthew) Date: Thu, 28 Oct 2004 20:36:39 +0100 From: Matthew Seaman To: Steve Suhre Message-ID: <20041028193639.GA46862@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , Steve Suhre , Vulpes Velox , freebsd-questions@freebsd.org References: <6.0.3.0.2.20041028102537.04be6ec0@nano.net> <20041028133250.77c30503@vixen42.24-119-122-191.cpe.cableone.net> <6.0.3.0.2.20041028124740.03d9f700@nano.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="wac7ysb48OaltWcw" Content-Disposition: inline In-Reply-To: <6.0.3.0.2.20041028124740.03d9f700@nano.net> User-Agent: Mutt/1.4.2.1i X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.6 (smtp.infracaninophile.co.uk [IPv6:::1]); Thu, 28 Oct 2004 20:36:41 +0100 (BST) X-Virus-Scanned: clamd / ClamAV version devel-20040904, clamav-milter version 0.75l on smtp.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.8 required=5.0 tests=ALL_TRUSTED,AWL autolearn=ham version=3.0.1 X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on happy-idiot-talk.infracaninophile.co.uk cc: Vulpes Velox cc: freebsd-questions@freebsd.org Subject: Re: Hacker activity? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Oct 2004 19:36:55 -0000 --wac7ysb48OaltWcw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Oct 28, 2004 at 01:13:14PM -0600, Steve Suhre wrote: > Thanks. Right now I'm blocking 66.249.6*.* on the secure server for the c= gi=20 > script and haven't seen anything for a couple hours. The other intruder i= s=20 > a little slicker and moves around quite a bit. My interest is in the=20 > frequency, or lack thereof. Do they attack many sites at once, like spam,= =20 > hoping to hit on a server that has a dictionary password? Rather than pou= nd=20 > one server with all they've got? Distributed hacking? I can't think of=20 > another reason why someone would even try to hack into a server by loggin= g=20 > in 50-100 times once or twice a week. You can't get root through anything= =20 > but the console and 50-100 attempts don't cover a lot of password ground = on=20 > the other accounts, most of which are locked down against shell access=20 > anyway.... I'm not really concerned about the activity, it would take eon= s=20 > to hack into anything this way. I'm wondering if there's something going = on=20 > that I don't know, maybe this is a smoke screen to divert attention from= =20 > the real threat? It doesn't make a lot of sense.... It's an automated attack -- just a script run by some kiddie that searches the IP address space to find and break into Linux servers. It finds systems that respond on port 22 and then tries to guess a number of account/password combinations. I believe the vast majority of scans originate from the far east, as do the vast majority of compromised boxes -- something to do with a Linux distro popular out there that had a bunch of unsecured accounts in its default install. It's neither efficient nor cleverly implemented. If you've got good passwords in place for all your user accounts , or you require people to use key based auth to log in, or you move the port sshd listens on, then the scans won't be able to hurt you. Switching to exclusive use of key based auth is what I'd choose -- once you've got the keys set up then it's not at all intrusive. Plus you can use the ssh-agent(1) to hold your keys in memory, which means you don't have to keep reentering the pass phrase each time you ssh into a new machine, even several hops away. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --wac7ysb48OaltWcw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBgUpHiD657aJF7eIRAnFVAJ46SxCO5cC9PfKlwLeVy6jMgEZJpQCgixP1 xNYccmFBkzvH4gUDvi3sLlo= =gTzf -----END PGP SIGNATURE----- --wac7ysb48OaltWcw--