[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] Random system crashes: Linux gurus, what would you do?

If you think your computer may have been broken into, it is best to do
a fresh re-install. If a root kit was installed, it would hide the signs
of damage and could very well cause stability problems.

I have also been having what I call dictionary attacks almost every night, repeated login attempts via various ports and user names via ssh, all from the same IP. But the only validated logins via ssh can all be accounted for as coming from me or a trusted user.

If you keep getting attacked from a specific IP address, it would be a good
idea to firewall off that IP.


First off, I agree that there's a good chance that box is still rooted. Just as in the case of a persistent spyware infestation on a windows machine, your only real hope of being sure that machine's clean is to do a wipe-and-reinstall.

With regard to the SSH brute-force attacks you're suffering, unfortunately, that's become increasingly common of late. One tool I use and heartily recommend is fail2ban, available at fail2ban.sourceforge.net

The gist of how fail2ban works is that if a given IP address fails ssh logins enough times within a given time period, it adds a DROP rule to iptables for that address for a while. You can easily configure how many failed logins leads to a blacklisting, and also how long the blacklisting lasts.

It's a lot of fun to read /var/log/fail2ban.log too =]


PS: Sample output from my current fail2ban log.  Enjoy:

2005-12-20 19:36:43,962 INFO: SSH: has 6 login failure(s)
. Banned.
2005-12-20 19:36:44,182 WARNING: SSH: Ban
2005-12-20 19:37:52,374 INFO: SSH: has 60 login failure(s
). Banned.
2005-12-20 19:38:48,741 ERROR: SSH: already in ban list
2005-12-20 19:46:44,974 WARNING: SSH: Unban
2005-12-20 20:50:59,880 INFO: SSH: has 5 login failure(s)
. Banned.
2005-12-20 20:50:59,882 WARNING: SSH: Ban
2005-12-20 20:51:56,685 INFO: SSH: has 12 login failure(s
). Banned.
2005-12-20 20:52:47,621 ERROR: SSH: already in ban list
2005-12-20 21:01:00,117 WARNING: SSH: Unban

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]