Re: Heads up: Brute force attacks on the rise recently

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: "Michael Cronenworth" <mike@xxxxxxxxxx>
Sent: Wednesday, 2009/October/28 16:03



It seems in the past month brute force attacks are on the rise. They are
targeting anyone listening on port 22 and go after root. If you do not
have a hardened box, you will see thousands upon thousands of
connections in your logs. Once logged in they will set your system up in
their botnet.

Google: dt_ssh5
This little baby will get placed in /tmp and will be running. Looks to
be a SSH gateway for the attackers for easy access/control.

-Make sure your root password is not a dictionary word.
-Add iptables rules to limit multiple connections on SSH to 4 within a
minute.[1] Perhaps this needs to become a Fedora default.


Once within 3 minutes is entirely practical and effective. In the last
two days a pair of dolts kept trying 6621 times and 2185 times after the
door slammed shut in their faces. Their ISPs have been notified.


-Update your system.
-Use SELinux.

Why am I sending this message? Is it SPAM? No. I've seen this hit a
customer and cause an explosion in their network traffic. The backdoor
was installed on Sept. 30th and was not detected until recently. Google
results seem to indicate this past month with higher than normal brute
force activity.

[1]
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent
--update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent
--set --name DEFAULT --rsource


I love those rules and have been spreading them around for quite some
time now. I am glad to see somebody else has either adopted or discovered
the rule trick. It is devastatingly effective. Guessing a password as
simple as "mE3" would take decades of attempts. (Now I want to configure
sshd so that it logs the attempted password along with the attempted user
name.)

{^_-}

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux