some attack to fedora machine .

Da Rock rock_on_the_web at comcen.com.au
Fri Apr 11 22:16:40 UTC 2008


On Fri, 2008-04-11 at 17:57 +0300, Antti J. Huhtala wrote:
> pe, 2008-04-11 kello 09:22 -0500, Mikkel L. Ellertson kirjoitti:
> > Antti J. Huhtala wrote:
> > > A spot of overkill, perhaps?
> > > 
> > > In my modest experience my Linux box has been compromised thŕee (3)
> > > times that I know of. The first was an RH 6.2 box, and my present box
> > > has been invaded twice, first during the FC6 era and then soon after my
> > > F8 installation last December.
> > > Each and every time the invader came in through ssh. Against my better
> > > judgement in installing F8 I allowed ssh to remain a "secure service" as
> > > suggested by the F8 installer. Well, it proved not to be.
> > > 
> > > There seem to be some "sportsmen" out there who just can't resist the
> > > temptation of an open ssh port. Now, if I plan to use ssh to connect to
> > > my box from a remote location, I'm going to have iptables rules to allow
> > > ssh only from known addresses. Not very flexible, perhaps, but I don't
> > > want to allow these sportsmen in again.
> > > 
> > > In each case, just wiping the installation clean and reinstalling with
> > > ssh port closed seems to have done the trick.
> > > 
> > > My 2 c.
> > > 
> > > Antti
> > > 
> > You should also set up SSH to only use key pairs to allow logins. 
> > Not username/passwork logins. This will foil "dictionary" attacks. 
> > If you do need to allow username/passwork logins, use one of the 
> > rate limiting packages to block the attacker after 3 or for login 
> > failed logins in a row, or more then x attempts from one IP address 
> > in a short period of time. Picking good passwords helps as well.
> > 
> > Mikkel
> No doubt you're right, Mikkel, but I wanted to draw attention to the
> fact that default Fedora installation *does* have ssh marked as "secure
> service". You can disable that while installing, though, but what is the
> newbie to do? Does he know offhand that ssh is not really secure unless
> special steps are taken? No, he accepts default values.
> After realising (with Ethereal, later Wireshark) there were multiple
> attempts to get in via ssh, I installed fail2ban, and did get lots of
> addresses in fail2ban logs in a relatively short while (2-3 weeks). 
> I deliberately left ssh open to see how well F8 with fail2ban could cope
> with (almost) default F8 installation. It took about 20 days for someone
> to get in and then run various commands until he found a vulnerable one.
> I caught that soon after realizing the logwatch messages no longer came
> either to my alias or root.
> 
> Your tip about not allowing username/password combinations is a good
> one. Any examples of an implementation of eg. key pairs?

Yes, that would be good to see. May I also ask if any of you guys having
these attacks are behind a firewall and/or NAT? I use ssh but so far I
don't believe I've had any trouble- I'd like to be a little better
informed on this though: ie symptoms etc.




More information about the users mailing list