Re: Cracking attempt dilemma

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: der.hans
Date:  
To: plug-discuss
Subject: Re: Cracking attempt dilemma
Am 14. Dec, 2004 schwätzte June Tate so:

> der.hans wrote:


> |
> | Yeah, it really annoys me that they continue to leave root logins on
> | by default.
>
> Yeah, that bugged me, too. I always go in and turn that off on fresh
> installs.


Oustanding.

> | I also turn on X forwarding :).
>
> On by default? As in "X11Forwarding yes" in /etc/sshd_config?
>
> I've found that if you leave it set to no that you can still do X11
> forwarding if the server has xauth installed and you pass the -X option
> to ssh. What's the reasoning for turning it on by default? O.o


It does? Hmm, gonna have to try that again. Last I tried, a couple of
months ago, I needed to turn on X11Forwarding at the server in order to get
X forwarding over ssh.

> | So, maybe just blocking .cn and the other countries June mentioned
> | for ssh and other authenticated services will help.
>
> Actually, I didn't mention that, but it sure sounds like a good idea


What I meant was that you mentioned seeing traffic from certain countries,
one of which was .cn. I think you mentioned .tw as well, but didn't
remember the list and, like now, didn't want to go look for it :).

> that I hadn't thought of. I'm guessing a simple "ssh: *.cn" in the
> hosts.deny file or something similar would do the trick, right?


I think most people deny based on IPs that have been allocated to .cn. I
want to put in rules like this, so I'll be figuring it out soon, just not
quite yet :).

Putting the rules in hosts.deny is probably good, but I will likely put
them in the firewall rules. Maybe I'll finally right some 'mess with the
attackers' rules. You know, things that port forward to random services,
then either kill all future packets from the offending IP or port forward
to other services. I guess I really need a daemon that'll pretend to be
various things. It'd be fun to claim to be an ftp daemon that's insisting
on some finger protocol and wanting to use ssh keys ;-).

> | Presumably she knows whether or not she'll be in .cn in the next few
> | days, which gives time to open up the firewall if necessary :).
>
> Ironically, I just might be travelling out there sometime in the next
> few months. Probably won't be doing anything on the 'net out there,
> though. =o)


If you do hop on the Net make sure to use your own local computer and
hopefully one-time passwords.

Oh and carry knoppix :).

ciao,

der.hans
-- 
#  https://www.LuftHans.com/    http://www.AZOTO.org/
#  "Every person who has mastered a profession is a skeptic concerning it."
#     -- George Bernard Shaw
---------------------------------------------------
PLUG-discuss mailing list - 
To subscribe, unsubscribe, or to change  you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss