pe, 2008-04-11 kello 09:22 -0500, Mikkel L. Ellertson kirjoitti: > Antti J. Huhtala wrote: > > A spot of overkill, perhaps? > > > > In my modest experience my Linux box has been compromised thŕee (3) > > times that I know of. The first was an RH 6.2 box, and my present box > > has been invaded twice, first during the FC6 era and then soon after my > > F8 installation last December. > > Each and every time the invader came in through ssh. Against my better > > judgement in installing F8 I allowed ssh to remain a "secure service" as > > suggested by the F8 installer. Well, it proved not to be. > > > > There seem to be some "sportsmen" out there who just can't resist the > > temptation of an open ssh port. Now, if I plan to use ssh to connect to > > my box from a remote location, I'm going to have iptables rules to allow > > ssh only from known addresses. Not very flexible, perhaps, but I don't > > want to allow these sportsmen in again. > > > > In each case, just wiping the installation clean and reinstalling with > > ssh port closed seems to have done the trick. > > > > My 2 c. > > > > Antti > > > You should also set up SSH to only use key pairs to allow logins. > Not username/passwork logins. This will foil "dictionary" attacks. > If you do need to allow username/passwork logins, use one of the > rate limiting packages to block the attacker after 3 or for login > failed logins in a row, or more then x attempts from one IP address > in a short period of time. Picking good passwords helps as well. > > Mikkel No doubt you're right, Mikkel, but I wanted to draw attention to the fact that default Fedora installation *does* have ssh marked as "secure service". You can disable that while installing, though, but what is the newbie to do? Does he know offhand that ssh is not really secure unless special steps are taken? No, he accepts default values. After realising (with Ethereal, later Wireshark) there were multiple attempts to get in via ssh, I installed fail2ban, and did get lots of addresses in fail2ban logs in a relatively short while (2-3 weeks). I deliberately left ssh open to see how well F8 with fail2ban could cope with (almost) default F8 installation. It took about 20 days for someone to get in and then run various commands until he found a vulnerable one. I caught that soon after realizing the logwatch messages no longer came either to my alias or root. Your tip about not allowing username/password combinations is a good one. Any examples of an implementation of eg. key pairs? Antti