On Fri, 2008-04-11 at 17:57 +0300, Antti J. Huhtala wrote: > pe, 2008-04-11 kello 09:22 -0500, Mikkel L. Ellertson kirjoitti: > > Antti J. Huhtala wrote: > > > A spot of overkill, perhaps? > > > > > > In my modest experience my Linux box has been compromised thŕee (3) > > > times that I know of. The first was an RH 6.2 box, and my present box > > > has been invaded twice, first during the FC6 era and then soon after my > > > F8 installation last December. > > > Each and every time the invader came in through ssh. Against my better > > > judgement in installing F8 I allowed ssh to remain a "secure service" as > > > suggested by the F8 installer. Well, it proved not to be. > > > > > > There seem to be some "sportsmen" out there who just can't resist the > > > temptation of an open ssh port. Now, if I plan to use ssh to connect to > > > my box from a remote location, I'm going to have iptables rules to allow > > > ssh only from known addresses. Not very flexible, perhaps, but I don't > > > want to allow these sportsmen in again. > > > > > > In each case, just wiping the installation clean and reinstalling with > > > ssh port closed seems to have done the trick. > > > > > > My 2 c. > > > > > > Antti > > > > > You should also set up SSH to only use key pairs to allow logins. > > Not username/passwork logins. This will foil "dictionary" attacks. > > If you do need to allow username/passwork logins, use one of the > > rate limiting packages to block the attacker after 3 or for login > > failed logins in a row, or more then x attempts from one IP address > > in a short period of time. Picking good passwords helps as well. > > > > Mikkel > No doubt you're right, Mikkel, but I wanted to draw attention to the > fact that default Fedora installation *does* have ssh marked as "secure > service". You can disable that while installing, though, but what is the > newbie to do? Does he know offhand that ssh is not really secure unless > special steps are taken? No, he accepts default values. > After realising (with Ethereal, later Wireshark) there were multiple > attempts to get in via ssh, I installed fail2ban, and did get lots of > addresses in fail2ban logs in a relatively short while (2-3 weeks). > I deliberately left ssh open to see how well F8 with fail2ban could cope > with (almost) default F8 installation. It took about 20 days for someone > to get in and then run various commands until he found a vulnerable one. > I caught that soon after realizing the logwatch messages no longer came > either to my alias or root. > > Your tip about not allowing username/password combinations is a good > one. Any examples of an implementation of eg. key pairs? Yes, that would be good to see. May I also ask if any of you guys having these attacks are behind a firewall and/or NAT? I use ssh but so far I don't believe I've had any trouble- I'd like to be a little better informed on this though: ie symptoms etc.
