Found, a new rootkit

jdow jdow at earthlink.net
Sat Apr 1 22:40:22 UTC 2006 

From: "Gene Heskett" <gene.heskett at verizon.net>

> On Friday 31 March 2006 19:42, John Summerfield wrote:
>>Craig White wrote:
>>> it's actually the fault of the admins who don't use any password
>>> checking mechanisms, but I suppose that it's more feasible to blame
>>> stupid users...of course, I would never do such a thing  ;-)
>>
>>There is quite a deal of well-reasoned debate about what constitutes a
>>good password.
>>
>>First, one needs to be able to remember it without writing it down.
>> This meets Windows AD complexity requirements,
>>
>>10:72:94:e5:64:d5:68:51:d1:55:c0:2b:e5:4e:7f:fa
>>
>>but I defy anyone to remember it any time soon!
>>
>>"bismcoles" would probably be easy for Bill Smith to remember, and
>> would certainly defy any dictionary attack. As would
>> "bluewatermelon."
>>
>>The expect package has a password generator that creates passwords
>> like this, but again they're hard to remember: "et3tUfGd."
>>
>>
>>A reasonable security system would shut down the login process for a
>>time after some number of consecutive failed login attempts. It's a
>> rule that's been around for a long time, it's even in Linux, but
>> implemented poorly.
> 
> And how does one go about turning that option on, with say a 15 minute 
> timeout?

Gene, search for prior postings I've made (and others) about the iptables
recent feature. How'd you like this? "You get three syn tries in two
minutes. More than that and the ssh port is locked for your IP address
until the number of attempts falls below three in the last two minutes."

If you forget your password or mangle your typing three times wait about
a minute and type more carefully. Then you're in and Bob's your uncle.
Imagine a hacker trying to discover "abcdefgh" as a password if he only
can try three times every two minutes. Since they try large batches of
names and passwords all at once they'll never get more than two tries
per run. And users basically never notice it, even if two are sharing
the same IP connection behind a NAT firewall.

$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
  --rcheck --seconds 120 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
  --rcheck --seconds 120 --hitcount 3 -j REJECT --reject-with tcp-reset

Every couple weeks I notice some other naif has tried to attack this site.
If the IP address is some place I never plan to visit the entire range
of APNIC addresses is blocked. (Not much of Asia will ever get even one
syn into this machine.)

{^_-}

More information about the fedora-list mailing list