It seems in the past month brute force attacks are on the rise. They are targeting anyone listening on port 22 and go after root. If you do not have a hardened box, you will see thousands upon thousands of connections in your logs. Once logged in they will set your system up in their botnet. Google: dt_ssh5 This little baby will get placed in /tmp and will be running. Looks to be a SSH gateway for the attackers for easy access/control. -Make sure your root password is not a dictionary word. -Add iptables rules to limit multiple connections on SSH to 4 within a minute.[1] Perhaps this needs to become a Fedora default. -Update your system. -Use SELinux. Why am I sending this message? Is it SPAM? No. I've seen this hit a customer and cause an explosion in their network traffic. The backdoor was installed on Sept. 30th and was not detected until recently. Google results seem to indicate this past month with higher than normal brute force activity. [1] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
