2009/10/29 Gene Heskett <gene.heskett@xxxxxxxxxxx>:
> On Thursday 29 October 2009, Athmane Madjoudj wrote:
>>On Thu, Oct 29, 2009 at 12:52 PM, jdow <jdow@xxxxxxxxxxxxx> wrote:
>>> From: "Michael Cronenworth" <mike@xxxxxxxxxx>
>>> Sent: Wednesday, 2009/October/28 16:03
>>>
>>>> It seems in the past month brute force attacks are on the rise. They are
>>>> targeting anyone listening on port 22 and go after root. If you do not
>>>> have a hardened box, you will see thousands upon thousands of
>>>> connections in your logs. Once logged in they will set your system up in
>>>> their botnet.
>>>>
>>>> Google: dt_ssh5
>>>> This little baby will get placed in /tmp and will be running. Looks to
>>>> be a SSH gateway for the attackers for easy access/control.
>>>>
>>>> -Make sure your root password is not a dictionary word.
>>>> -Add iptables rules to limit multiple connections on SSH to 4 within a
>>>> minute.[1] Perhaps this needs to become a Fedora default.
>>>
>>> Once within 3 minutes is entirely practical and effective. In the last
>>> two days a pair of dolts kept trying 6621 times and 2185 times after the
>>> door slammed shut in their faces. Their ISPs have been notified.
>>>
>>>> -Update your system.
>>>> -Use SELinux.
>>>>
>>>> Why am I sending this message? Is it SPAM? No. I've seen this hit a
>>>> customer and cause an explosion in their network traffic. The backdoor
>>>> was installed on Sept. 30th and was not detected until recently. Google
>>>> results seem to indicate this past month with higher than normal brute
>>>> force activity.
>>>>
>>>> [1]
>>>> -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent
>>>> --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP
>>>> -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent
>>>> --set --name DEFAULT --rsource
>>>
>>> I love those rules and have been spreading them around for quite some
>>> time now. I am glad to see somebody else has either adopted or discovered
>>> the rule trick. It is devastatingly effective. Guessing a password as
>>> simple as "mE3" would take decades of attempts. (Now I want to configure
>>> sshd so that it logs the attempted password along with the attempted user
>>> name.)
>>>
>>> {^_-}
>>>
>>> --
>>> fedora-list mailing list
>>> fedora-list@xxxxxxxxxx
>>> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>>> Guidelines:
>>> http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
>>
>>You can install fail2ban
>>#yum install fail2ban
>>
>>Links:
>>http://www.fail2ban.org/
>>
> That may be all well and good, but how does one go about installing that on
> an x86 based dd-wrt router?
>
> I did install those two rules above though, as I used to watch it being
> banged on at subsecond intervals by some Id10t using a dictionary attack.
> They must have had a small dictionary as they usually went away after
> 300-3000 tries.
>
> It seems to have silenced the logging.
If you can't find a package for the router, you might want to find a
way to copy the log files off the router, process them on some
machine, and then pass the instructions back to the router.
-Yaakov
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
