Heads up: Brute force attacks on the rise recently

Jim mickeyboa at sbcglobal.net
Thu Oct 29 21:00:01 UTC 2009


On 10/29/2009 02:43 PM, Yaakov Nemoy wrote:
> 2009/10/29 Jim<mickeyboa at sbcglobal.net>:
>    
>> On 10/29/2009 08:17 AM, Athmane Madjoudj wrote:
>>      
>>> On Thu, Oct 29, 2009 at 12:52 PM, jdow<jdow at earthlink.net>    wrote:
>>>
>>>        
>>>> From: "Michael Cronenworth"<mike at cchtml.com>
>>>> Sent: Wednesday, 2009/October/28 16:03
>>>>
>>>>
>>>>
>>>>          
>>>>> It seems in the past month brute force attacks are on the rise. They are
>>>>> targeting anyone listening on port 22 and go after root. If you do not
>>>>> have a hardened box, you will see thousands upon thousands of
>>>>> connections in your logs. Once logged in they will set your system up in
>>>>> their botnet.
>>>>>
>>>>> Google: dt_ssh5
>>>>> This little baby will get placed in /tmp and will be running. Looks to
>>>>> be a SSH gateway for the attackers for easy access/control.
>>>>>
>>>>> -Make sure your root password is not a dictionary word.
>>>>> -Add iptables rules to limit multiple connections on SSH to 4 within a
>>>>> minute.[1] Perhaps this needs to become a Fedora default.
>>>>>
>>>>>            
>>>> Once within 3 minutes is entirely practical and effective. In the last
>>>> two days a pair of dolts kept trying 6621 times and 2185 times after the
>>>> door slammed shut in their faces. Their ISPs have been notified.
>>>>
>>>>
>>>>          
>>>>> -Update your system.
>>>>> -Use SELinux.
>>>>>
>>>>> Why am I sending this message? Is it SPAM? No. I've seen this hit a
>>>>> customer and cause an explosion in their network traffic. The backdoor
>>>>> was installed on Sept. 30th and was not detected until recently. Google
>>>>> results seem to indicate this past month with higher than normal brute
>>>>> force activity.
>>>>>
>>>>> [1]
>>>>> -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent
>>>>> --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP
>>>>> -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent
>>>>> --set --name DEFAULT --rsource
>>>>>
>>>>>            
>>>> I love those rules and have been spreading them around for quite some
>>>> time now. I am glad to see somebody else has either adopted or discovered
>>>> the rule trick. It is devastatingly effective. Guessing a password as
>>>> simple as "mE3" would take decades of attempts. (Now I want to configure
>>>> sshd so that it logs the attempted password along with the attempted user
>>>> name.)
>>>>
>>>> {^_-}
>>>>
>>>> --
>>>> fedora-list mailing list
>>>> fedora-list at redhat.com
>>>> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>>>> Guidelines:
>>>> http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
>>>>
>>>>
>>>>          
>>> You can install fail2ban
>>> #yum install fail2ban
>>>
>>> Links:
>>> http://www.fail2ban.org/
>>>
>>>
>>>        
>> Don't install fail2ban you will get twice the amount of "Gold Stars" .
>>
>> I had fail2ban on a X86_64 box and I was constantly getting selinux Gold
>> Stars,
>>
>> I relabelled fail2ban a number of times to no avail .
>>
>> I was told it was the way fail2ban was structured wrong, what that means , I
>> have no Ideal. But I just uninstalled it.
>>      
> Have you tried denyhosts yet? We haven't had any SELinux issues with it.
>
> -Yaakov
>
>    
No, but I will check it out.

Thanks.




More information about the users mailing list