Re: Are Linux boxes vulnerable to be used by botnets?

Top Page
This message is part of the following thread:
M-\the complete thread tree sorted by date
M\M+\Anthony Boynes at <-
MMMMMMatt Graham at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Jon M. Hanson
Date:  
To: Main PLUG discussion list
Subject: Re: Are Linux boxes vulnerable to be used by botnets?
On Mon, Mar 17, 2008 at 09:57:05AM -0600, Josef Lowder wrote:
> .
> On Mon, 17 Mar 2008 08:37, Mike Bydalek wrote
> > Jon M. Hanson wrote:
> > > Josef Lowder wrote:
> > >> Are Linux boxes vulnerable to be used by botnets?
> > >>
> > > Probably at least once a day my Linux box that I have co-located is
> > > probed for a weak password /account through SSH.
>
> [snipped]
>
> > That seems like too much work =P Most of the probes, ssh attacks,
> > etc. that I see are from foreign countries and I really don't see
> > much benefit in reporting them. What I do on all my servers is use
> > 2 little tools to help stop these automated attacks: DenyHosts
> > (http://denyhosts.sourceforge.net/) and PortSentry
> > (http://sourceforge.net/projects/sentrytools/)
>
> [snipped]
>
> This is all very interesting ... and confusing for my simple mind.
>
> It sounds like most of the replies to my question pertain to
> boxes that are used as "servers" and not just "regular users."
> Or are we all "servers"?
>
> Hans wrote: "... someone could take advantage of it to deliver
> a payload that would turn GNU/Linux boxen into trojans."
>
> How can I determine if one of my computers has had something
> like this done?
>
> Erich Newell wrote: "You will simple be 'pwnt' ..."
>
> What does that mean?
>
> John Hanson wrote: "at least once a day my Linux box ...
> is probed for a weak password /account through SSH."
>
> How can I determine if one of my systems has been "probed"?
>
> Mike Bydalek wrote: "... all my servers is use 2 little tools
> to help stop these automated attacks: DenyHosts"
>
> Is that something most Linux user should add to their system?
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

In the SSH case I just watch my system logs. Suddenly there will be a
ton of attempts to logon to accounts on my system (most of which don't
exist).

The automated attempts don't bother me. They're just wasting their time
since I either use public key authentication or a very strong password.

I've also seen a similar thing happen on the POP3 port.

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: Are Linux boxes vulnerable to be used by botnets?Re: Are Linux boxes vulnerable to be used by botnets?->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)