[K12OSN] reporting and/or stopping cracking attempts on server

David L. Willson DLWillson at TheGeek.NU
Thu Mar 17 17:46:17 UTC 2011


On a honey-pot:
1. Have really good passwords.
2. dig -x ip.of.attacker
3. www.iptools.com to research owner of ip
4. follow up with owner, send someone to jail/detention/home

On an important server:
1. Move ssh to a non-default port.
2. Use fail2ban (you already do. good job.)
3. Put SELinux in enforcing mode and deal with occasional headaches.
4. Remove non-essential services (dovecot? cups? sendmail? apache? up to you)
5. Update frequently and read your log anomaly reports.

David L. Willson
Trainer, Engineer, Enthusiast
RHCE MCT MCSE Network+ A+ Linux+ LPIC-1 NovellCLA UbuntuCP
tel://720.333.LANS
Freedom is better when you earn it. Learn Linux.

----- Original Message -----
From: "Carl Keil" <carl at snarlnet.com>
To: "Support list for open source software in schools." <k12osn at redhat.com>
Sent: Thursday, March 17, 2011 11:27:25 AM
Subject: [K12OSN] reporting and/or stopping cracking attempts on server

Hello folks,

For those of you that run servers exposed to the outside world, I just 
wanted to send a ping out and see what others are doing about this.  I'm 
seeing an escalation in what I call "brute force" attacks on my server.  
Like people trying to SSH in repeatedly from one IP with common sounding 
user names.  Or lots of http requests (I've got web on the same server) 
for ....setup.php or setup.pl etc.  Repeated Auth requests to sendmail.

I've started running fail2ban, which, I feel does a great job of cutting 
this down.  Is there anything better that's about equally as easy to 
setup?  Is there any point in making the effort to look up the IP's and 
contact the ISP's about this?  Or does that just piss off the script 
kiddies and make you more of a target.  I don't want to have to become a 
full on security expert, but I want to make sure I'm doing all the easy 
no-brainer stuff that can protect you 99% of the time.  I hope that 
attitude doesn't offend anyone.  I'm not working for a school.  I got 
into ltsp for home use and just run it for convenience and pleasure.  
Dealing with idiots who are trying to break in cuts down on both.

Thanks,

ck

_______________________________________________
K12OSN mailing list
K12OSN at redhat.com
https://www.redhat.com/mailman/listinfo/k12osn
For more info see <http://www.k12os.org>




More information about the K12OSN mailing list