Arch Linux

rhomp2002

Member

Registered: 2008-08-01

Posts: 38

Just saw this article on Slash Dot

Has anyone here had any problems with these attacks on Linux?  I don't think I have on any of the distros I have been playing with so far.  Don't know if that is just dumb luck or I am fortunate that the distros I play with have good defenses:

+----------------------------------------------------------------------------------------------+
| Sloppy Linux Admins Enable Slow Bruteforce Attacks                                           |
|   from the time-lapse-intrusion-monitering dept.                                             |
|   posted by kdawson on Sunday October 04, @22:27 (Security)                                  |
|   https://linux.slashdot.org/story/09/10/ … Bruteforc|
+----------------------------------------------------------------------------------------------+

badger.foo passes on the report of Peter N. M. Hansteen that a [0]third
round of low-intensity, distributed bruteforce attacks is now in progress
— we earlier discussed the [1]first and [2]second rounds — and that
sloppy admin practice on Linux systems is the main enabler. As before,
the article links to log data (this time 770 apparently already
compromised Linux hosts are involved), and further references. "The fact
that your rig runs Linux does not mean you're home free. You need to keep
paying attention. When your spam washer has been hijacked and tries to
break into other people's systems, you urgently need to get your act
together, right now."

Discuss this story at:
    http://linux.slashdot.org/comments.pl?s … 04/2054259

Links:
    0. http://bsdly.blogspot.com/2009/10/third … armed.html
    1. http://it.slashdot.org/article.pl?sid=0 … 244&tid=76
    2. http://it.slashdot.org/article.pl?sid=0 … 257&tid=76

Last edited by rhomp2002 (2009-10-06 04:55:45)

mikesd

Member

From: Australia

Registered: 2008-02-01

Posts: 788

Website

Re: Just saw this article on Slash Dot

I have always had people/bots hammer my ssh ports. A subset of todays logs:

Oct  6 00:44:58 carbon sshd[6815]: Invalid user sato from 58.180.45.71
Oct  6 00:44:59 carbon sshd[6818]: Invalid user suzuki from 58.180.45.71
Oct  6 00:45:01 carbon sshd[6820]: Invalid user takahashi from 58.180.45.71
Oct  6 02:50:17 carbon sshd[6834]: User root from 118.123.6.41 not allowed because not listed in AllowUsers
Oct  6 02:50:20 carbon sshd[6837]: User root from 118.123.6.41 not allowed because not listed in AllowUsers
Oct  6 02:50:23 carbon sshd[6839]: User root from 118.123.6.41 not allowed because not listed in AllowUsers
Oct  6 03:01:13 carbon sshd[6843]: User root from ppp59-167-43-131.lns2.cbr1.internode.on.net not allowed because not listed in AllowUsers
Oct  6 07:39:11 carbon sshd[6942]: User root from 125.7.235.37 not allowed because not listed in AllowUsers
Oct  6 07:39:12 carbon sshd[6945]: User root from 125.7.235.37 not allowed because not listed in AllowUsers
Oct  6 07:39:14 carbon sshd[6947]: User root from 125.7.235.37 not allowed because not listed in AllowUsers
Oct  6 07:44:44 carbon sshd[6954]: User root from 61.163.209.219 not allowed because not listed in AllowUsers
Oct  6 09:19:45 carbon sshd[7013]: Invalid user fluffy from 200.37.181.203
Oct  6 09:19:50 carbon sshd[7014]: Invalid user alin from 201.64.231.130
Oct  6 09:19:50 carbon sshd[7017]: Invalid user admin from 200.37.181.203
Oct  6 09:20:53 carbon sshd[7019]: User root from 201.64.231.130 not allowed because not listed in AllowUsers
Oct  6 09:21:53 carbon sshd[7021]: Invalid user alin from 201.64.231.130
Oct  6 09:23:21 carbon sshd[7033]: Invalid user test from 200.37.181.203
Oct  6 09:24:09 carbon sshd[7035]: Invalid user guest from 201.64.231.130
Oct  6 15:58:46 carbon sshd[7157]: User root from mail.assun.com.hk not allowed because not listed in AllowUsers

I used to report these attacks as if you don't take some kind of action I have seen them go on for hours. Now I just lock down SSH (key based logins only, no root login) and lock out ip addresses that have 3 failed login attempts.

---

[ twitter | blog | configs ]

Lich

Member

Registered: 2009-09-13

Posts: 437

Re: Just saw this article on Slash Dot

I have no running servers/daemons on my main box. For my server, I wanted to give this a try: http://hurley.wordpress.com/2008/08/31/ … -fail2ban/

Last edited by Lich (2009-10-06 05:45:38)

---

Archlinux | ratpoison + evilwm | urxvtc | tmux

AngryKoala

Member

Registered: 2009-01-22

Posts: 197

Re: Just saw this article on Slash Dot

a pub/private key combo should lock out any attacks right?

Zeist

Arch Linux f@h Team Member

Registered: 2008-07-04

Posts: 532

Re: Just saw this article on Slash Dot

A hint to get rid of some of the random attempted logins is just to change your SSH port to something other than 22.

---

I haven't lost my mind; I have a tape back-up somewhere.
Twitter

JohnVV

Member

From: Ann Arbor, Mi. U.S.A.

Registered: 2009-09-30

Posts: 107

Website

Re: Just saw this article on Slash Dot

there is "fail2ban"
but i liked using
<directory /?/?/?>
...
order allow,deny
allow all
deny 123.456.789.123 ( address of blackHat)
...
</directory>

---

Celestia maps
http://celestiamotherlode.net/catalog/s … ator_id=10

greenfish

Member

From: eating fish in /dev/null

Registered: 2008-08-30

Posts: 229

Re: Just saw this article on Slash Dot

A hint to get rid of some of the random attempted logins is just to change your SSH port to something other than 22.

Agree, that will get rid of most of the script kiddies/bots.

A good router and some common sense goes a long way, you don't need to "FBI" your entire setup

---

ARCH64 archSKYNET server AMD  Phenom(tm) II X2 550 HDD 6TB Ram 8GB
Hobbies: Running, Pistol Marksmanship, Classic Music

japetto

Member

From: Chicago, IL US

Registered: 2006-07-02

Posts: 183

Re: Just saw this article on Slash Dot

If you have to run SSH on port 22 you can always use port knocking too keep it less obvious.