la, 2008-04-12 kello 08:16 +1000, Da Rock kirjoitti: > On Fri, 2008-04-11 at 17:57 +0300, Antti J. Huhtala wrote: > > > > Your tip about not allowing username/password combinations is a good > > one. Any examples of an implementation of eg. key pairs? > > Yes, that would be good to see. Mikkel already answered this one in another post. > May I also ask if any of you guys having > these attacks are behind a firewall and/or NAT? At present, no separate router or other firewall, just the one Fedora 8 provides. I've only briefly tried NAT in my LAN but not long enough to observe whether invasion attempts were extended to the LAN. > I use ssh but so far I > don't believe I've had any trouble- I'd like to be a little better > informed on this though: ie symptoms etc. > The problem with describing the various symptoms an intrusion may cause is that it is difficult to avoid getting a little paranoid watching eg. unexpected and rather frequent hard disk activity. That's why I had to remove beagled from my F7 installation. The hard disk light was on all the time - or so it seemed. There are plenty of knowledgeable people on this list who could tell you much more than I can. Anyway, I monitor my system for intrusion attacks by having the Network Monitor (or whatever the English term is) icon permanently on my lower panel. Another icon I have there is the System Status (or whatever..). If either of these shows high activity that I have not caused myself, I look at top in terminal window to see what's going on. Usually it is yum-updatesd or makewhatis - sort of household chores. It may be worthwhile to occasionally click on Network Monitor icon to see how many packages have gone in and out the Internet interface. If I haven't updated or downloaded anything, the input/output ratio is usually well over 100:1. Most of this traffic is ARP broadcast packets - but of course the 10-minute-interval e-mail traffic is there also. Some of it is rejections from my box to whoever is trying to connect, ie, rejections of potential intruders. As I said before, an almost sure sign of a compromised box is that logwatch messages suddenly stop coming. Then it is time to run Wireshark for some length of time to see what is going *out* of your box. 'Whois' is another friend you probably need then. Sorry, work commitments won't allow further comments this weekend. HTH, Antti
