[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] Random system crashes: Linux gurus, what would you do?



This is a preventative measure and it's pretty simple.  But you can
change the default ssh port too.  In /etc/ssh/sshd_config.


Peter

On 12/21/05, Mike Ely <mely rogueriver k12 or us> wrote:
> > If you think your computer may have been broken into, it is best to do
> > a fresh re-install. If a root kit was installed, it would hide the signs
> > of damage and could very well cause stability problems.
> >
> >> I have also been having what I call dictionary attacks almost every
> >> night, repeated login attempts via various ports and user names via
> >> ssh, all from the same IP.  But the only validated logins via ssh can
> >> all be accounted for as coming from me or a trusted user.
> >
> > If you keep getting attacked from a specific IP address, it would be a good
> > idea to firewall off that IP.
> >
> > -Eric
> >
>
> First off, I agree that there's a good chance that box is still rooted.
>   Just as in the case of a persistent spyware infestation on a windows
> machine, your only real hope of being sure that machine's clean is to do
> a wipe-and-reinstall.
>
> With regard to the SSH brute-force attacks you're suffering,
> unfortunately, that's become increasingly common of late.  One tool I
> use and heartily recommend is fail2ban, available at
> fail2ban.sourceforge.net
>
> The gist of how fail2ban works is that if a given IP address fails ssh
> logins enough times within a given time period, it adds a DROP rule to
> iptables for that address for a while.  You can easily configure how
> many failed logins leads to a blacklisting, and also how long the
> blacklisting lasts.
>
> It's a lot of fun to read /var/log/fail2ban.log too =]
>
> Cheers,
> Mike
>
> PS: Sample output from my current fail2ban log.  Enjoy:
>
> 2005-12-20 19:36:43,962 INFO: SSH: 201.140.13.99 has 6 login failure(s)
> . Banned.
> 2005-12-20 19:36:44,182 WARNING: SSH: Ban 201.140.13.99
> 2005-12-20 19:37:52,374 INFO: SSH: 201.140.13.99 has 60 login failure(s
> ). Banned.
> 2005-12-20 19:38:48,741 ERROR: SSH: 201.140.13.99 already in ban list
> 2005-12-20 19:46:44,974 WARNING: SSH: Unban 201.140.13.99
> 2005-12-20 20:50:59,880 INFO: SSH: 62.148.87.146 has 5 login failure(s)
> . Banned.
> 2005-12-20 20:50:59,882 WARNING: SSH: Ban 62.148.87.146
> 2005-12-20 20:51:56,685 INFO: SSH: 62.148.87.146 has 12 login failure(s
> ). Banned.
> 2005-12-20 20:52:47,621 ERROR: SSH: 62.148.87.146 already in ban list
> 2005-12-20 21:01:00,117 WARNING: SSH: Unban 62.148.87.146
>
> _______________________________________________
> K12OSN mailing list
> K12OSN redhat com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]