[NBLUG/talk] Multiple IP address / brute force attack
Walter Hansen
gandalf at sonic.net
Tue Apr 29 23:52:25 PDT 2008
Dean Roman wrote:
> I hate to hear that...how did they get in, if you don't mind me
> asking..via ssh, telnet, ftp, smtp, other?
>
> A pretty good and very simple brute force ssh defensive program is
> denyhosts. Run this on any machine running ssh and it actively adds hosts
> to your /etc/hosts.deny file after a host has too many ssh failures.
Thanks I'll check it out. But I now have a couple ipchains that are
reactive. The ssh one is set to limit to four new connections within a
period of five minutes. The pop3 one is set to limit new connections to
four new connections within one minute. I have a bypass in place for the
local office on the pop3 as we're all addicted to our email. I also set
password retries to 0 in sshd.
I was going to set another one for WebMin, but on testing I found out
what I already knew, namely that web servers serve up lots and lots of
little files on lots and lots of different connections. After it failed
miserably I truned it back off.
I think they got in through ssh, and I'm now thinking through one of our
vendor accounts. The windows guys always pick horrible passwords. I'll
just assign them new good ones.
More information about the talk
mailing list