On 10/29/2009 08:17 AM, Athmane Madjoudj wrote:
On Thu, Oct 29, 2009 at 12:52 PM, jdow<jdow@xxxxxxxxxxxxx> wrote:
From: "Michael Cronenworth"<mike@xxxxxxxxxx>
Sent: Wednesday, 2009/October/28 16:03
It seems in the past month brute force attacks are on the rise. They are
targeting anyone listening on port 22 and go after root. If you do not
have a hardened box, you will see thousands upon thousands of
connections in your logs. Once logged in they will set your system up in
their botnet.
Google: dt_ssh5
This little baby will get placed in /tmp and will be running. Looks to
be a SSH gateway for the attackers for easy access/control.
-Make sure your root password is not a dictionary word.
-Add iptables rules to limit multiple connections on SSH to 4 within a
minute.[1] Perhaps this needs to become a Fedora default.
Once within 3 minutes is entirely practical and effective. In the last
two days a pair of dolts kept trying 6621 times and 2185 times after the
door slammed shut in their faces. Their ISPs have been notified.
-Update your system.
-Use SELinux.
Why am I sending this message? Is it SPAM? No. I've seen this hit a
customer and cause an explosion in their network traffic. The backdoor
was installed on Sept. 30th and was not detected until recently. Google
results seem to indicate this past month with higher than normal brute
force activity.
[1]
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent
--update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent
--set --name DEFAULT --rsource
I love those rules and have been spreading them around for quite some
time now. I am glad to see somebody else has either adopted or discovered
the rule trick. It is devastatingly effective. Guessing a password as
simple as "mE3" would take decades of attempts. (Now I want to configure
sshd so that it logs the attempted password along with the attempted user
name.)
{^_-}
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
You can install fail2ban
#yum install fail2ban
Links:
http://www.fail2ban.org/
Don't install fail2ban you will get twice the amount of "Gold Stars" .
I had fail2ban on a X86_64 box and I was constantly getting selinux Gold
Stars,
I relabelled fail2ban a number of times to no avail .
I was told it was the way fail2ban was structured wrong, what that means
, I have no Ideal. But I just uninstalled it.
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines