<p>I prefer to watch for repeated connection attempts for ssh then auto gen a redirect rule that points back to themselves. Give that a few minutes then redirect to nsa or chinese army. </p>
<div class="gmail_quote">On Sep 12, 2011 5:44 PM, "Bob Toxen" <<a href="mailto:transam@verysecurelinux.com">transam@verysecurelinux.com</a>> wrote:<br type="attribution">> Usually the hackers will try up to 1000 passwords on common accounts. I<br>
> know someone who had a root password of "password" and one who had<br>> "root1234" (without quotes) on Internet-connected *nix systems. I got<br>> one to change in time; the other got hacked.<br>
> <br>> Unless you monitor for unsuccessful attacks you don't know how hard they<br>> are trying and how close they are getting.<br>> <br>> It's my experience that even many of the best System Administrators do<br>
> not know what makes a hard-to-break password without education. I had<br>> the pleasure to provide that to ALE last month and it's in the book.<br>> Aaron should have that talk's video available some time this month for<br>
> free viewing by ALE members.<br>> <br>> <br>> I highly recommend PortSentry for locking out port scanners.<br>> <br>> Moving ssh to a different port will NOT stop a hacker who knows what she<br>> is doing. Allowing log in only via a ssh public key or only from a<br>
> short list of IPs with a very strong password will stop anyone (unless<br>> that private key or allowed IP's system is hacked).<br>> <br>> Disabling root ssh and requiring one first to ssh in through another<br>
> account and su'ing or sudo'ing to root is not as effective as the above<br>> solutions and may diminish security, in my opinion.<br>> <br>> Bob Toxen<br>> <a href="mailto:bob@verysecurelinux.com">bob@verysecurelinux.com</a> [Please use for email to me]<br>
> <a href="http://www.verysecurelinux.com">http://www.verysecurelinux.com</a> [Network&Linux security consulting]<br>> <a href="http://www.realworldlinuxsecurity.com">http://www.realworldlinuxsecurity.com</a> [My book:"Real World Linux Security 2/e"]<br>
> Quality Linux & UNIX security and SysAdmin & software consulting since 1990.<br>> Quality spam and virus filters.<br>> <br>> "One disk to rule them all, One disk to find them. One disk to bring<br>
> them all and in the darkness grind them. In the Land of Redmond where<br>> the shadows lie...and the Eye is everwatching"<br>> -- The Silicon Valley Tarot Henrique Holschuh with ... Bob<br>> <br>> On Mon, Sep 12, 2011 at 03:07:26PM -0400, Rich Faulkner wrote:<br>
>> My experience with these was that attackers were looking for an easy<br>>> entry. I mean EASY. And some of the companies I was working on were<br>>> more than easy prey...and I'm not even sure they're still in business as<br>
>> I told them over and over again to not follow these practices. But they<br>>> did anyway....and for all I know they're gonners now.<br>> <br>>> One in particular (a former employer) has never changed their passwords.<br>
>> None that I am aware of...and that's with the coming and going of many<br>>> an employee from engineering. This includes FTP sites for content, VPNs<br>>> and the main database servers. This not a major issue and a glaring<br>
>> hole in security? But then again, I don't work there anymore and will<br>>> not attempt to gain access to their systems just to see if they have<br>>> changed the passwords.<br>> <br>>> I DID just buy BOB TOXIN's book and got it in the mail over the weekend.<br>
>> Yeah, you Bob! Will be looking for you at an ALE Meeting soon to sign<br>>> it for me! (Also need the CD - BTW...it was a used book and had the<br>>> disk missing). But more to the original point...I would rather HACK MY<br>
>> OWN NETWORK than hack someone else's and that's exactly what I'm about<br>>> to start doing. Thanks to the inspiration of the last ALE Meeting and<br>>> topics like this thread....<br>> <br>
>> Bowing to Linux greatness in my midst....<br>> <br>> <br>>> On Mon, 2011-09-12 at 13:38 -0400, Michael H. Warfield wrote:<br>> <br>>> > On Mon, 2011-09-12 at 13:19 -0400, Erik Mathis wrote: <br>
>> > > I have to disagree with you on this, as you are only concerned about<br>>> > > ssh. Since the remote box is most likely owned, ssh brute force<br>>> > > attacks is likely only going to be the first wave of hate coming from<br>
>> > > that IP. Its best to me to just take a scorched earth approached in<br>>> > > these situations. Every three months or so, you can remove the ACL<br>>> > > (how ever you end up blocking) and see if it the hate comes back. Auto<br>
>> > > add rules should take care of the rest. In other words, its best to be<br>>> > > prudent and proactive now, then later when your stuff is hacked and<br>>> > > your only left with reactive options.<br>
>> > <br>>> > Ok... You guys apparently don't know what Abacus Port Sentry does.<br>>> > That's what it does. If it detects a port scan above a certain<br>>> > threshold, it blocks it out. I knew the author. I haven't played with<br>
>> > it in years but it is very effective and is the archetype for some<br>>> > similar modern projects. Unless he's talking about another "Port<br>>> > Sentry", he's already doing what he can and denyhost and fail2ban have<br>
>> > nothing to over over port sentry.<br>>> > <br>>> > Also, as the runner of a honeynet for well over a decade, I can tell you<br>>> > this - your argument just does not hold water. I have never seen a<br>
>> > follow up attack from correlated IP addresses on other services<br>>> > following unsuccessful ssh attempts. If they can't connect to ssh, I<br>>> > never hear from them on anything else. I have capture data going back<br>
>> > to 1998 on my darknet. No correlation. Even if they connect to one of<br>>> > my honeypots (another band of addresses) they still never come back and<br>>> > attack on another service. It's not happening. It's a nice argument<br>
>> > but you're just scaring away ghosts in New York City (old OLD joke).<br>>> > The ssh scanning that's taking place is a joke. I seriously thought<br>>> > they would have at least TRIED the stupid Debian bad ssh keys and my<br>
>> > honeypots were set up to deliberately trap and log on that if any ever<br>>> > showed up. Nada! All I get are stoopid attempts at passwords like:<br>>> > <br>>> > password<br>>> > passwd<br>
>> > toor<br>>> > qwert<br>>> > trewq<br>>> > poiuy<br>>> > yuiop<br>>> > 12345<br>>> > 09876<br>>> > <br>>> > Seriously!<br>>> > <br>
>> > And they've never come back a knocking. Even on very legitimate looking<br>>> > honeypot systems with open services and everything.<br>>> > <br>>> > > -Erik-<br>>> > <br>
>> > Regards,<br>>> > Mike<br>>> > <br>>> > > On Mon, Sep 12, 2011 at 12:36 PM, Michael H. Warfield <<a href="mailto:mhw@wittsend.com">mhw@wittsend.com</a>> wrote:<br>>> > > > On Mon, 2011-09-12 at 11:59 -0400, Erik Mathis wrote:<br>
>> > > >> Use denyhosts. Simple and really easy to use.<br>>> > > ><br>>> > > >> On Mon, Sep 12, 2011 at 11:05 AM, David Hillman <<a href="mailto:hillmands@gmail.com">hillmands@gmail.com</a>> wrote:<br>
>> > > >> > According to the PortSentry logs for my server, I have received thousands of<br>>> > > >> > connection attempts via SSH port 22. Of course, that is not the port the<br>
>> > > >> > real SSH service is listening on. Logins were also disabled for root.<br>>> > > >> > What's interesting is the IP addresses all belong to Serverloft<br>>> > > >> > (<a href="http://www.serverloft.eu">www.serverloft.eu</a>); most attempts came from 188.138.32.16<br>
>> > > >> > (<a href="http://loft4385.serverloft.eu">loft4385.serverloft.eu</a>). I am guessing someone with a few VPS boxes has<br>>> > > >> > nothing better to do than use up network bandwidth to terrorize the rest of<br>
>> > > >> > us. Or, maybe those boxes have been compromised.<br>>> > > >> > I have e-mailed the folks over over at Serverloft, but I don't expect<br>>> > > >> > anything of it. Is there anything else I can do?<br>
>> > > ><br>>> > > > Hold the phone here!<br>>> > > ><br>>> > > > You guys are trying to over engineer this. Read what the OP wrote.<br>>> > > ><br>
>> > > > He's got ssh running on a different port already. fail2ban and<br>>> > > > denyhosts will do nothing that port sentry (and I'm assuming that's the<br>>> > > > old Abacus Port Sentry) and simple firewall rules won't do. All he's<br>
>> > > > seeing is connection ATTEMPTS. There's nothing there to connect to so<br>>> > > > all he's seeing is Port Sentry logging noise. You've got it blocked<br>>> > > > already and the service isn't running there anyways. You don't want the<br>
>> > > > noise, stop logging it. That's all. You can't stop the attempts. But<br>>> > > > the attempts don't result in any connections. Nothing more to do. Move<br>>> > > > on.<br>
>> > > ><br>>> > > > Mike<br>>> > > > --<br>>> > > > Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com<br>>> > > > /\/\|=mhw=|\/\/ | (678) 463-0932 | <a href="http://www.wittsend.com/mhw/">http://www.wittsend.com/mhw/</a><br>
>> > > > NIC whois: MHW9 | An optimist believes we live in the best of all<br>>> > > > PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!<br>> _______________________________________________<br>
> Ale mailing list<br>> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>> <a href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a><br>> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
> <a href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a><br></div>