Re: Cracking attempt dilemma

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: June Tate
Date:  
To: plug-discuss
Subject: Re: Cracking attempt dilemma
der.hans wrote:
|
| Having a firewall is a good thing :). Make sure you're locking out
| everything that doesn't need to be. Most people probably only need to
| allow incoming TCP traffic on port 22. Drop everything else.


Well, I do have a few other services running on this box that I'd like
to keep open. In particular, I've kept http, ftp (control only), ssh,
smtp, and imaps open, and I'm aggressively dropping and logging any
other traffic on the outer interface.

| If you're getting lots of traffic to SSH, which seems to be the case, then
| maybe you can either lock it down to only a few IPs that you might come
| from and/or setup a port knocking daemon.

|
| knockd - Small port-knock daemon
| Homepage: http://www.zeroflux.org/knock/


I've actually thought about this. Since the only people using ssh on the
system is me and my brother, I was thinking about locking it down to
internal IPs and his one external address.

Port knocking would be a good idea, if and only if my one other user (my
brother) was a little more computer knowledgable and ran Linux instead
of Windows. Neat idea, though.

| A co-worker has been going through this on people who've been DoSsing her.
| She claims to know who it is and have proof of it. The attacker's mom
| apparently works at his ISP, so the ISP hasn't done anything despite
| repeated attempts.

|
| If someone is attacking you from another country our gov't won't care
| unless you're losing lots of money. Lots of money from their perspective,
| not from ours.


<sarcasm>Oh, goodie.</sarcasm>
So then it's essentially left up to me to deal with this guy. So should
I be blacklisting any IP that attempts to break in? For the most part my
security _seems_ to be okay -- the guy has been attempting to break in
for over a week now, and he still hasn't gotten in, so his attacks are
really becoming nothing more than a really pathetic DoS.

Any idea if there's a way to make ssh act like a tarpit? Eg: if you fail
to login from the same IP more than three times, each successive time
after that SSH takes exponentially longer to respond with the password
prompt.

|>My server is running Debian Linux, for reference.
|
| Ah, another good move ;-).


I thought about running FreeBSD or NetBSD, but decided against it.
Debian Linux is like my home -- why move when the one I've got is the
one I grew up in? =o)

| You are getting security updates, right?


Yeah. I have cron-apt running every night in download mode to help with
security updates as well. I'm also subscribed to
debian-security-announce and unbuntu-security (I run Ubuntu on my
desktop machines).

| That is not the complete answer, but it is part of a balance breakfast.


Well, it's like what I've heard other netadmins say: security is a
process, not a state of being. Thanks for the help -- you've given me a
couple of ideas I'm going to try.

- --
June Tate * http://www.theonelab.com *

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss