Re: Cracking attempt dilemma

Top Page
This message is part of the following thread:
M+--++-+\the complete thread tree sorted by date
MM..MM.MMder.hans at <-
MM+\.M\technomage at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Robert Ambrose
Date:  
To: plug-discuss
Subject: Re: Cracking attempt dilemma

Another $.02:

In addition to other security measures for ssh discussed in this thread:

I disable root logins for sshd. Set via the following parameter in
sshd_config: PermitRootLogin no

I also disable password authentication for sshd so only users with their
public key installed can gain access. This is also controlled via
sshd_config: PasswordAuthentication no

And don't skip putting a passphrase on the private key! :-)

rna

On Tue, 7 Dec 2004, June Tate wrote:

> > Hey folks,
>
> I've been a bit of a long time lurker on this list, but I've recently
> come up with a bit of a problem. Somebody, somewhere out on the 'net is
> attempting to crack into my home server -- unfortunately, they seem to
> be either using a few hundred zombie boxen on the 'net or spoofing their
> IP addresses because each attack is coming from a completely different IP.
>
> The first time I noticed, I noticed a bunch of "Illegal user" error
> messages in /var/log/auth.log. At first I didn't think much of it, but
> since I've worked on the iptables firewall, I've noticed an almost
> constant stream of incoming packets to random ports on my box, too.
>
> At first I thought he must have just found my box via an IP subnet scan
> or something, but when I recently changed ISPs and IP addresses, he
> followed via my domain name.
>
> My question is this: how can I track down this guy, blacklist, or
> prevent him from breaching my defenses? Also, what should I do about
> reporting him to the authorities? Who do should I contact about this?
>
> I've tried looking up his various IPs in the whois databases to no avail
> - -- they list him as coming from Tokyo, Taiwan, South Africa, San
> Diego, etc.
>
> My server is running Debian Linux, for reference.
>
> - --
> June Tate * http://www.theonelab.com *
> > ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: debian installRe: Oddiments->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)