Heads up: Brute force attacks on the rise recently

Gene Heskett gene.heskett at verizon.net
Thu Oct 29 16:48:50 UTC 2009


On Thursday 29 October 2009, Athmane Madjoudj wrote:
>On Thu, Oct 29, 2009 at 12:52 PM, jdow <jdow at earthlink.net> wrote:
>> From: "Michael Cronenworth" <mike at cchtml.com>
>> Sent: Wednesday, 2009/October/28 16:03
>>
>>> It seems in the past month brute force attacks are on the rise. They are
>>> targeting anyone listening on port 22 and go after root. If you do not
>>> have a hardened box, you will see thousands upon thousands of
>>> connections in your logs. Once logged in they will set your system up in
>>> their botnet.
>>>
>>> Google: dt_ssh5
>>> This little baby will get placed in /tmp and will be running. Looks to
>>> be a SSH gateway for the attackers for easy access/control.
>>>
>>> -Make sure your root password is not a dictionary word.
>>> -Add iptables rules to limit multiple connections on SSH to 4 within a
>>> minute.[1] Perhaps this needs to become a Fedora default.
>>
>> Once within 3 minutes is entirely practical and effective. In the last
>> two days a pair of dolts kept trying 6621 times and 2185 times after the
>> door slammed shut in their faces. Their ISPs have been notified.
>>
>>> -Update your system.
>>> -Use SELinux.
>>>
>>> Why am I sending this message? Is it SPAM? No. I've seen this hit a
>>> customer and cause an explosion in their network traffic. The backdoor
>>> was installed on Sept. 30th and was not detected until recently. Google
>>> results seem to indicate this past month with higher than normal brute
>>> force activity.
>>>
>>> [1]
>>> -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent
>>> --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP
>>> -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent
>>> --set --name DEFAULT --rsource
>>
>> I love those rules and have been spreading them around for quite some
>> time now. I am glad to see somebody else has either adopted or discovered
>> the rule trick. It is devastatingly effective. Guessing a password as
>> simple as "mE3" would take decades of attempts. (Now I want to configure
>> sshd so that it logs the attempted password along with the attempted user
>> name.)
>>
>> {^_-}
>>
>> --
>> fedora-list mailing list
>> fedora-list at redhat.com
>> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>> Guidelines:
>> http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
>
>You can install fail2ban
>#yum install fail2ban
>
>Links:
>http://www.fail2ban.org/
>
That may be all well and good, but how does one go about installing that on 
an x86 based dd-wrt router?

I did install those two rules above though, as I used to watch it being 
banged on at subsecond intervals by some Id10t using a dictionary attack.  
They must have had a small dictionary as they usually went away after 
300-3000 tries.

It seems to have silenced the logging.

Thanks & hi Joanne :)

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
The NRA is offering FREE Associate memberships to anyone who wants them.
<https://www.nrahq.org/nrabonus/accept-membership.asp>

Never offend people with style when you can offend them with substance.
		-- Sam Brown, "The Washington Post", January 26, 1977




More information about the fedora-list mailing list