[NBLUG/talk] Multiple IP address / brute force attack

Dean Roman droman at romansystems.com
Tue Apr 29 19:52:56 PDT 2008


Ken McGlothlen wrote:
> | I'm sad to admit I had a breech on a server at sonic this weekend. [...]
>  The
> | script kiddies were only in for a few seconds, but they did their
> | damage. Things are back up for the most part now and the fortress is a
> little
> | stronger.
>

I hate to hear that...how did they get in, if you don't mind me
asking..via ssh, telnet, ftp, smtp, other?

A pretty good and very simple brute force ssh defensive program is
denyhosts.  Run this on any machine running ssh and it actively adds hosts
to your /etc/hosts.deny file after a host has too many ssh failures.


> Sorry to hear it.  These sorts of attacks are getting more and more
> frequent,
> and without dynamically adaptive firewalls, they're hard to manage.
>
> | What this means to me is that if you have a range of IPs on your server
> and
> | actually configure them to work, it's a little like hanging out a big
> net
> | with bells on it.
>
> Pretty much.
>
> | Comments, laughter, ideas?
>
> No laughter from this corner.  Keeping up with this sort of thing is
> difficult.
>
> I guess the main thing is to keep track of what networks spell trouble,
> and
> keep up with your firewall.  Keep up to date with the patches.  Improve
> your
> monitoring tools.  And good luck.
>
> ---Ken
>
> _______________________________________________
> talk mailing list
> talk at nblug.org
> http://nblug.org/cgi-bin/mailman/listinfo/talk
>


-- 
Dean A. Roman





More information about the talk mailing list