Chinese Kiddos with Broken Dicts?

Craig White craigwhite at azapple.com
Sat May 9 23:04:57 MST 2009 

On Sat, 2009-05-09 at 22:35 -0700, Kurt Granroth wrote:
> That seems... unlikely.  I have had thousands of unique IPs hit some of 
> my hosts, many to never repeat after a round of attacks.  The more 
> plausible route is that they have a botnet of pwned boxes numbering in 
> the hundreds of thousands and they just use them for random dictionary 
> attacks.  Once the dictionary attack is done (completely failed), they 
> move on.
> 
> One lesson to learn from this, though, is to NEVER allow name+password 
> based logins over the Internet.  If you open up port 22 to the world, 
> then make sure you restrict logins to SSH key only.  Most importantly:
> 
> PasswordAuthentication no
> 
> If a million monkeys can write the works of Shakespeare, then a million 
> compromised zombies can eventually crack all of your passwords, too!
> 
----
I NEVER open port 22 for SSH to the Internet but always use a different
port number

I ALWAYS use denyhosts (but there are other programs that do much the
same thing) that blocks connections after a pre-defined number of failed
attempts within a pre-defined time period. I use a pretty low number of
failed attempts and a fairly wide time window period.

I used to pay attention to iptables reports and even once wrote a
database program to import/sort/report on them because if you have a box
on the Internet, you are going to get a lot of blocked attempts but I
really felt that virtually all of that time and energy was wasted. I am
no longer surprised nor worried about people port scanning my public IP
addresses any more.

I do employ SELinux these days for an added layer of protection but I
don't know that I've had a system compromised in the last 10 years...but
I did have several systems compromised a little over 10 years ago and
started taking security very seriously. I do scan my own systems to
verify which ports are open on the Internet.

If you really want to know where your network is weakest...look at your
wireless access point/router. But really, the biggest threat these days
is using a web browser because you can't even trust the web sites you
think that you trust.

I sleep pretty well at night.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the PLUG-discuss mailing list