hack attempt on my server...What do you do about this?
Thomas Sapp
tpsapp at hotmail.com
Sun Jul 18 13:39:47 UTC 2004
Thanks for your suggestions. I'll give them all a shot and keep an eye
out as well for more info. I have followed my own advise and reported
the IP's to the companies that they belong to though. :-) I know, won't
do much good but what the heck. All three IP's belong to different
companies and all in Denmark! My little computer is growing up! It's
traveling the world via the internet! <sniff> <sniff> :-)
On Sun, 2004-07-18 at 06:30, John Thompson wrote:
> You could boot from a rescue cd and run "chkrootkit" although from the
> logs above it appears this was simply a scripted attack that failed.
> There are automated programs that scan IP blocks for open ftp servers
> and automatically launch attacks to anything they find in the hope that
> the server can be exploited for warez, pr0n, etc.
>
> If you need to transfer files in the future, you may want to use
> something other than ftp (e.g., "sftp" or "scp" from the OpenSSH package).
>
> If you simply must use ftp, configure iptables to only accept
> connections to ports 20 and 21 from known IPs; that is, the IP address
> or block for your work machine.
>
> If you use xinetd to launch the ftp server on demand, you can define
> rules to restrict access in a number of interesting ways.
>
> Also check your tcp_wrapper rules. Most modern ftp servers for linux
> are compiled with tcp_wrapper support, which can add another layer of
> control/security to the transaction.
>
> --
>
> -John (john at os2.dhs.org)
--
Thanks,
Tom Sapp
http://www.sappsworld.com
More information about the fedora-list
mailing list