[NBLUG/talk] Multiple IP address / brute force attack

Walter Hansen gandalf at sonic.net
Tue Apr 29 23:52:25 PDT 2008


Dean Roman wrote:
> I hate to hear that...how did they get in, if you don't mind me
> asking..via ssh, telnet, ftp, smtp, other?
> 
> A pretty good and very simple brute force ssh defensive program is
> denyhosts.  Run this on any machine running ssh and it actively adds hosts
> to your /etc/hosts.deny file after a host has too many ssh failures.

Thanks I'll check it out. But I now have a couple ipchains that are 
reactive. The ssh one is set to limit to four new connections within a 
period of five minutes. The pop3 one is set to limit new connections to 
four new connections within one minute. I have a bypass in place for the 
local office on the pop3 as we're all addicted to our email. I also set 
password retries to 0 in sshd.

I was going to set another one for WebMin, but on testing I found out 
what I already knew, namely that web servers serve up lots and lots of 
little files on lots and lots of different connections. After it failed 
miserably I truned it back off.

I think they got in through ssh, and I'm now thinking through one of our 
vendor accounts. The windows guys always pick horrible passwords. I'll 
just assign them new good ones.




More information about the talk mailing list