Date: Mon, 28 Dec 2009 14:59:51 -0800 (PST) From: "Chris H" <chris#@1command.com> To: freebsd-stable@freebsd.org Subject: RE: Hacked - FreeBSD 7.1-Release Message-ID: <8bdcbc5f08e9b762c3d2dcfe2fd00558.HRCIM@webmail.1command.com> In-Reply-To: <600C0C33850FFE49B76BDD81AED4D25801371D8737@IMCMBX3.MITRE.ORG> References: <bd52e0bd614fbaffcf8c9ff9da35286e@mail.isot.com> <4B20B509.4050501@yahoo.it> <600C0C33850FFE49B76BDD81AED4D25801371D8056@IMCMBX3.MITRE.ORG> <ce92ed41260c438977298c2cf9dd1e3f.HRCIM@webmail.1command.com> <600C0C33850FFE49B76BDD81AED4D25801371D8737@IMCMBX3.MITRE.ORG>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, December 28, 2009 7:44 am, Andresen, Jason R. wrote: >> From: Chris H >> >> >> On Tue, December 22, 2009 8:35 am, Andresen, Jason R. wrote: >> >>> Squirrel wrote: >>> >>> >>>> most likely could be some kind of remote code execution or SQLi >> executed in >>>> the context of some php scripts, you should audit php code of your >> web >>>> interface and of the websites you host. also consider the strenght of >> your >>>> passwords, lots of login attempts to ssh/ftp may mean a he has tried >> a >>>> bruteforce (or a dictionary attack maybe). you should also check >> webmin logs, >>>> there are a few bruteforcer for webmin out there, (*hint*) consider >> the lenght >>>> of your average password if it's more than 7-8 characters >> aplhanumeric with >>>> simbols most likely this isn't the case. >>> >>> While it's true that it's a good idea to check your password strength, >>> >> pretty >>> much any host connected to the internet is going to be hit daily by >> bots >>> looking for weak passwords. It's one area where you logs don't help >> much >>> because there is too much noise. >> That's why there's GREP(1), AWK(1), FIND(1), TAIL(1), and CAT(1) >> Consider the following... >> adding the following to your /etc/rc.conf: >> >> # SECURITY RELATED >> #################################### >> syslogd_flags="-ss" log_in_vain="YES" tcp_keepalive="YES" >> >> >> now your log file will /really/ sing (log_in_vain="YES"). Of course, unless >> you have a great deal of time on your hands, visually parsing that "noisy" log >> will be quite tedious, and time consuming. So you have a few options... If your >> running X11, simply run tail in a root window - there are quite a few utilities >> in ports for doing just this - some that'll only write messages you want to >> see. You could also create a script out of cron that will only produce >> messages you are interested in, for example: >> >> ~# cat /var/log/messages | ssh >> >> >> will emit any attempt to ssh into your box you can also redirect the messages >> to a file: >> >> ~# cat /var/log/messages | ssh >>~/EVIL_DOERS >> >> >> You could also add en entry to PERIODIC(8) that will >> provide a daily report on any attempts you are interested in. >> >> HTH >> >> > > Your solution to excessive noise in the security log is to greatly increase the > noise level?!? > > The point is, if your machine is on the internet, then bots are going to try > password attacks on any open port they can find. It's just the sad fact of > life on the current internet. Unfortunately, this activity will also make it > much more difficult to determine when you are under attack from an actual > person, which was my point earlier. It's one that is not going to be easy to > solve either, unless you're willing to rewrite SSH to require every connection > attempt to pass a Turing test or something. My point here was that by increasing the verbosity, you will more easily be able to grep against login /failures/, and more easily discover dictionary/ brute-force attacks. It's certainly made my job easier, and hasn't required any modifications to our current policies. You /have/ considered PF(4), haven't you? It's /really/ an excellent strategy for securing your network. --Chris H > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8bdcbc5f08e9b762c3d2dcfe2fd00558.HRCIM>