Date: Fri, 31 Mar 2006 09:53:34 -0600 From: Paul Schmehl <pauls@utdallas.edu> To: questions@freebsd.org Subject: Re: repeated ssh login attempts/failure/break-in attempts from kiddy script Message-ID: <E5302AE0D6F111F4BB7A2AB4@utd59514.utdallas.edu> In-Reply-To: <442D31C6.5050700@wmptl.com> References: <442D31C6.5050700@wmptl.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--==========0FF1C53579D9B421CAEC========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline --On Friday, March 31, 2006 08:42:30 -0500 Nathan Vidican=20 <nvidican@wmptl.com> wrote: > Noted recently in auth.log, a string of connection attempts > repeated/failed over and over from one host - looks like a script > someone's running, tries all kinds of various usernames, etc... attempts > like 100-200 logins, fails and goes away. > > Few hours go by, and another such attempt, from a different IP comes in. > If I'm here and just happen to notice them - simple ipfw add deny... does > the trick, but is there not a way to limit the login attempts for a > certain period of time? > Others have offered various solutions, but I think it's worth saying - when = you connect to the internet, regardless of what OS or hardware you're=20 running, you're going to be attacked 24/7. That's the nature of the=20 internet. There's not a damn thing you can do about that. If you have the = option of moving services to odd ports, then that provides an easy=20 solution. Many people don't have that option. However, by moving ssh to a different port, you aren't eliminating the=20 problem - merely your knowledge of it. The attacks are still taking place. = The service is no longer listening there. These attacks should be a=20 warning to you. ALL the services on your box are being attacked 24/7.=20 There are no exceptions. What can you do? Keep your box patched ALWAYS. OS is irrelevant. They ALL get broken into. = (You name the OS - I've seen one hacked - RedHat, Debian, Slackware,=20 Solaris, Mac OS X, it doesn't matter.) NEVER run ANY unnecessary services. I haven't enabled inetd in so long I=20 don't remember what's in it, but it's amazing how many boxes are still=20 running chargen, rpc.statd and a host of other services that are completely = unnecessary (not to mention that few even know what they do anymore.) Restrict access to only those who should have access - by service and by=20 needed access. NEVER share your password with anyone, and use passwords that contain all=20 four types of characters; lower case and upper case alpha, numeric and=20 special. An eight character random alpha password can be cracked in less=20 than an hour on a modern computer, so encryption is not enough. Don't run inherently insecurely designed daemons. The first thing I do on=20 every FreeBSD box I set up is disable sendmail and install postfix. Run portaudit. Then you'll know about vulnerabilities immediately, and you = can portupgrade to fix the problem. Run a firewall, if you can. Incoming should be blocked by default except=20 for allowed services. Being secure and staying secure is your responsibility. Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --==========0FF1C53579D9B421CAEC==========--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E5302AE0D6F111F4BB7A2AB4>