[K12OSN] Random system crashes: Linux gurus, what would you do?

Rob Owens hick518 at yahoo.com
Wed Dec 21 11:08:16 UTC 2005


If you can do it, block all ssh access except from a
few IP ranges that you need.  That's what I do.  The
only people who can even attempt ssh access on my
machine are people who share the dynamic IP ranges of
the 3 or 4 machines that I typically use.  

-Rob

--- Peter Hartmann <ascensiontech at gmail.com> wrote:

> This is a preventative measure and it's pretty
> simple.  But you can
> change the default ssh port too.  In
> /etc/ssh/sshd_config.
> 
> 
> Peter
> 
> On 12/21/05, Mike Ely <mely at rogueriver.k12.or.us>
> wrote:
> > > If you think your computer may have been broken
> into, it is best to do
> > > a fresh re-install. If a root kit was installed,
> it would hide the signs
> > > of damage and could very well cause stability
> problems.
> > >
> > >> I have also been having what I call dictionary
> attacks almost every
> > >> night, repeated login attempts via various
> ports and user names via
> > >> ssh, all from the same IP.  But the only
> validated logins via ssh can
> > >> all be accounted for as coming from me or a
> trusted user.
> > >
> > > If you keep getting attacked from a specific IP
> address, it would be a good
> > > idea to firewall off that IP.
> > >
> > > -Eric
> > >
> >
> > First off, I agree that there's a good chance that
> box is still rooted.
> >   Just as in the case of a persistent spyware
> infestation on a windows
> > machine, your only real hope of being sure that
> machine's clean is to do
> > a wipe-and-reinstall.
> >
> > With regard to the SSH brute-force attacks you're
> suffering,
> > unfortunately, that's become increasingly common
> of late.  One tool I
> > use and heartily recommend is fail2ban, available
> at
> > fail2ban.sourceforge.net
> >
> > The gist of how fail2ban works is that if a given
> IP address fails ssh
> > logins enough times within a given time period, it
> adds a DROP rule to
> > iptables for that address for a while.  You can
> easily configure how
> > many failed logins leads to a blacklisting, and
> also how long the
> > blacklisting lasts.
> >
> > It's a lot of fun to read /var/log/fail2ban.log
> too =]
> >
> > Cheers,
> > Mike
> >
> > PS: Sample output from my current fail2ban log. 
> Enjoy:
> >
> > 2005-12-20 19:36:43,962 INFO: SSH: 201.140.13.99
> has 6 login failure(s)
> > . Banned.
> > 2005-12-20 19:36:44,182 WARNING: SSH: Ban
> 201.140.13.99
> > 2005-12-20 19:37:52,374 INFO: SSH: 201.140.13.99
> has 60 login failure(s
> > ). Banned.
> > 2005-12-20 19:38:48,741 ERROR: SSH: 201.140.13.99
> already in ban list
> > 2005-12-20 19:46:44,974 WARNING: SSH: Unban
> 201.140.13.99
> > 2005-12-20 20:50:59,880 INFO: SSH: 62.148.87.146
> has 5 login failure(s)
> > . Banned.
> > 2005-12-20 20:50:59,882 WARNING: SSH: Ban
> 62.148.87.146
> > 2005-12-20 20:51:56,685 INFO: SSH: 62.148.87.146
> has 12 login failure(s
> > ). Banned.
> > 2005-12-20 20:52:47,621 ERROR: SSH: 62.148.87.146
> already in ban list
> > 2005-12-20 21:01:00,117 WARNING: SSH: Unban
> 62.148.87.146
> >
> > _______________________________________________
> > K12OSN mailing list
> > K12OSN at redhat.com
> > https://www.redhat.com/mailman/listinfo/k12osn
> > For more info see <http://www.k12os.org>
> >
> 
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 




More information about the K12OSN mailing list