Are Linux boxes vulnerable to be used by botnets?

Jon M. Hanson jon at the-hansons-az.net
Mon Mar 17 09:05:40 MST 2008 

On Mon, Mar 17, 2008 at 09:57:05AM -0600, Josef Lowder wrote:
> .
> On Mon, 17 Mar 2008 08:37, Mike Bydalek wrote
> > Jon M. Hanson wrote:
> > > Josef Lowder wrote:
> > >> Are Linux boxes vulnerable to be used by botnets?
> > >>  
> > > Probably at least once a day my Linux box that I have co-located is 
> > > probed for a weak password /account through SSH. 
> 
> [snipped]
> 
> > That seems like too much work =P  Most of the probes, ssh attacks, 
> > etc. that I see are from foreign countries and I really don't see 
> > much benefit in reporting them.  What I do on all my servers is use 
> > 2 little tools to help stop these automated attacks: DenyHosts 
> > (http://denyhosts.sourceforge.net/) and PortSentry 
> > (http://sourceforge.net/projects/sentrytools/)
> 
> [snipped]
> 
> This is all very interesting ... and confusing for my simple mind. 
> 
> It sounds like most of the replies to my question pertain to 
> boxes that are used as "servers" and not just "regular users." 
> Or are we all "servers"? 
> 
> Hans wrote: "... someone could take advantage of it to deliver
> a payload that would turn GNU/Linux boxen into trojans."
> 
> How can I determine if one of my computers has had something 
> like this done? 
> 
> Erich Newell wrote: "You will simple be 'pwnt' ..."
> 
> What does that mean? 
> 
> John Hanson wrote: "at least once a day my Linux box ...
> is probed for a weak password /account through SSH."
> 
> How can I determine if one of my systems has been "probed"? 
> 
> Mike Bydalek wrote: "... all my servers is use 2 little tools 
> to help stop these automated attacks: DenyHosts"
> 
> Is that something most Linux user should add to their system?
> 
> 
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

In the SSH case I just watch my system logs. Suddenly there will be a
ton of attempts to logon to accounts on my system (most of which don't
exist).

The automated attempts don't bother me. They're just wasting their time
since I either use public key authentication or a very strong password.

I've also seen a similar thing happen on the POP3 port.

More information about the PLUG-discuss mailing list