Found, a new rootkit
John Summerfied
debian at herakles.homelinux.org
Wed Apr 5 13:10:50 UTC 2006
Neil Cherry wrote:
> Rahul Sundaram wrote:
>
>> On Sat, 2006-04-01 at 12:56 -0500, Neil Cherry wrote:
>>
>>> Gene Heskett wrote:
>>>
>>>> On Friday 31 March 2006 19:42, John Summerfield wrote:
>>>>
>>>>> A reasonable security system would shut down the login process for a
>>>>> time after some number of consecutive failed login attempts. It's a
>>>>> rule that's been around for a long time, it's even in Linux, but
>>>>> implemented poorly.
>>>>
>>>> And how does one go about turning that option on, with say a 15
>>>> minute timeout?
That's the "implemented poorly" bit. The only place I know it's
implemented is at the local virtual console where the delay's quite
short, not configurable that I know of, and if you time out one, there
are (by default, five) others to try, and by then the original getty's
accepting logins again. Worse, you can reset the counter by typing ^D as
a login name.
>>>
>>> Check out pam_abl on http://www.hexten.net/pam_abl/ (SourceForge
>>> project).
>>
>>
>> If you want to go this route, both denyhosts and pam_abl are available
>> for Fedora Extras.
>
>
> I've also use a Perl script to add these IP addresses to an iptables
> list but even with summarization I had thousands of denies. So I
> only allow a select few sites to get to my ssh and the attacks have
> completely stopped. Though I will say I'm not doing this commercially.
On some machines I administer remotely you need to have an account with
my IAP to get past hosts.{allow,deny} with ssh, and the only other entry
is via VPN: to breach that you need to know which house to burgle.
--
Cheers
John
-- spambait
1aaaaaaa at computerdatasafe.com.au Z1aaaaaaa at computerdatasafe.com.au
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
do not reply off-list
More information about the fedora-list
mailing list