[K12OSN] Random system crashes: Linux gurus, what would you do?
mely at rogueriver.k12.or.us
Wed Dec 21 05:27:19 UTC 2005
> If you think your computer may have been broken into, it is best to do
> a fresh re-install. If a root kit was installed, it would hide the signs
> of damage and could very well cause stability problems.
>> I have also been having what I call dictionary attacks almost every
>> night, repeated login attempts via various ports and user names via
>> ssh, all from the same IP. But the only validated logins via ssh can
>> all be accounted for as coming from me or a trusted user.
> If you keep getting attacked from a specific IP address, it would be a good
> idea to firewall off that IP.
First off, I agree that there's a good chance that box is still rooted.
Just as in the case of a persistent spyware infestation on a windows
machine, your only real hope of being sure that machine's clean is to do
With regard to the SSH brute-force attacks you're suffering,
unfortunately, that's become increasingly common of late. One tool I
use and heartily recommend is fail2ban, available at
The gist of how fail2ban works is that if a given IP address fails ssh
logins enough times within a given time period, it adds a DROP rule to
iptables for that address for a while. You can easily configure how
many failed logins leads to a blacklisting, and also how long the
It's a lot of fun to read /var/log/fail2ban.log too =]
PS: Sample output from my current fail2ban log. Enjoy:
2005-12-20 19:36:43,962 INFO: SSH: 22.214.171.124 has 6 login failure(s)
2005-12-20 19:36:44,182 WARNING: SSH: Ban 126.96.36.199
2005-12-20 19:37:52,374 INFO: SSH: 188.8.131.52 has 60 login failure(s
2005-12-20 19:38:48,741 ERROR: SSH: 184.108.40.206 already in ban list
2005-12-20 19:46:44,974 WARNING: SSH: Unban 220.127.116.11
2005-12-20 20:50:59,880 INFO: SSH: 18.104.22.168 has 5 login failure(s)
2005-12-20 20:50:59,882 WARNING: SSH: Ban 22.214.171.124
2005-12-20 20:51:56,685 INFO: SSH: 126.96.36.199 has 12 login failure(s
2005-12-20 20:52:47,621 ERROR: SSH: 188.8.131.52 already in ban list
2005-12-20 21:01:00,117 WARNING: SSH: Unban 184.108.40.206
More information about the K12OSN