On Sat, 2008-04-12 at 16:46 +0300, Antti J. Huhtala wrote: > la, 2008-04-12 kello 08:16 +1000, Da Rock kirjoitti: > > On Fri, 2008-04-11 at 17:57 +0300, Antti J. Huhtala wrote: > > > > > > Your tip about not allowing username/password combinations is a good > > > one. Any examples of an implementation of eg. key pairs? > > > > Yes, that would be good to see. > Mikkel already answered this one in another post. Yeah I noticed that- I'll get back to that shortly. > > May I also ask if any of you guys having > > these attacks are behind a firewall and/or NAT? > At present, no separate router or other firewall, just the one Fedora 8 > provides. I've only briefly tried NAT in my LAN but not long enough to > observe whether invasion attempts were extended to the LAN. > > I use ssh but so far I > > don't believe I've had any trouble- I'd like to be a little better > > informed on this though: ie symptoms etc. > > > The problem with describing the various symptoms an intrusion may cause > is that it is difficult to avoid getting a little paranoid watching eg. > unexpected and rather frequent hard disk activity. That's why I had to > remove beagled from my F7 installation. The hard disk light was on all > the time - or so it seemed. > There are plenty of knowledgeable people on this list who could tell you > much more than I can. Anyway, I monitor my system for intrusion attacks > by having the Network Monitor (or whatever the English term is) icon > permanently on my lower panel. Another icon I have there is the System > Status (or whatever..). If either of these shows high activity that I > have not caused myself, I look at top in terminal window to see what's > going on. Usually it is yum-updatesd or makewhatis - sort of household > chores. > It may be worthwhile to occasionally click on Network Monitor icon to > see how many packages have gone in and out the Internet interface. If I > haven't updated or downloaded anything, the input/output ratio is > usually well over 100:1. Most of this traffic is ARP broadcast packets - > but of course the 10-minute-interval e-mail traffic is there also. Some > of it is rejections from my box to whoever is trying to connect, ie, > rejections of potential intruders. > As I said before, an almost sure sign of a compromised box is that > logwatch messages suddenly stop coming. Then it is time to run Wireshark > for some length of time to see what is going *out* of your box. 'Whois' > is another friend you probably need then. Sounds like its not so much an attack on the machine as much as using it as a platform to initiate other attacks- would this be correct? IF this is the case, then a NAT would be a major hindrance to this. If an attacker can't gain direct access to the machine, then ssh would probably not possible- at worst would be a very good deterent as the attacker would look for an easier target because he's not interested in the machine itself. Please, correct me if I'm wrong here. I'd love to see some log entries for this attack too. In some ways I'm a bit green on security, but I have been making some major progress in my education on how the attacks work. But then, with security everybody has something to learn, don't they?
