On Thu, Oct 29, 2009 at 12:52 PM, jdow <jdow@xxxxxxxxxxxxx> wrote:
> From: "Michael Cronenworth" <mike@xxxxxxxxxx>
> Sent: Wednesday, 2009/October/28 16:03
>
>
>> It seems in the past month brute force attacks are on the rise. They are
>> targeting anyone listening on port 22 and go after root. If you do not
>> have a hardened box, you will see thousands upon thousands of
>> connections in your logs. Once logged in they will set your system up in
>> their botnet.
>>
>> Google: dt_ssh5
>> This little baby will get placed in /tmp and will be running. Looks to
>> be a SSH gateway for the attackers for easy access/control.
>>
>> -Make sure your root password is not a dictionary word.
>> -Add iptables rules to limit multiple connections on SSH to 4 within a
>> minute.[1] Perhaps this needs to become a Fedora default.
>
> Once within 3 minutes is entirely practical and effective. In the last
> two days a pair of dolts kept trying 6621 times and 2185 times after the
> door slammed shut in their faces. Their ISPs have been notified.
>
>> -Update your system.
>> -Use SELinux.
>>
>> Why am I sending this message? Is it SPAM? No. I've seen this hit a
>> customer and cause an explosion in their network traffic. The backdoor
>> was installed on Sept. 30th and was not detected until recently. Google
>> results seem to indicate this past month with higher than normal brute
>> force activity.
>>
>> [1]
>> -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent
>> --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP
>> -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent
>> --set --name DEFAULT --rsource
>
> I love those rules and have been spreading them around for quite some
> time now. I am glad to see somebody else has either adopted or discovered
> the rule trick. It is devastatingly effective. Guessing a password as
> simple as "mE3" would take decades of attempts. (Now I want to configure
> sshd so that it logs the attempted password along with the attempted user
> name.)
>
> {^_-}
>
> --
> fedora-list mailing list
> fedora-list@xxxxxxxxxx
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
> Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
>
You can install fail2ban
#yum install fail2ban
Links:
http://www.fail2ban.org/
--
Athmane Madjoudj
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
