On Sat, 2009-05-09 at 22:35 -0700, Kurt Granroth wrote:
> That seems... unlikely. I have had thousands of unique IPs hit some of
> my hosts, many to never repeat after a round of attacks. The more
> plausible route is that they have a botnet of pwned boxes numbering in
> the hundreds of thousands and they just use them for random dictionary
> attacks. Once the dictionary attack is done (completely failed), they
> move on.
>
> One lesson to learn from this, though, is to NEVER allow name+password
> based logins over the Internet. If you open up port 22 to the world,
> then make sure you restrict logins to SSH key only. Most importantly:
>
> PasswordAuthentication no
>
> If a million monkeys can write the works of Shakespeare, then a million
> compromised zombies can eventually crack all of your passwords, too!
>
----
I NEVER open port 22 for SSH to the Internet but always use a different
port number
I ALWAYS use denyhosts (but there are other programs that do much the
same thing) that blocks connections after a pre-defined number of failed
attempts within a pre-defined time period. I use a pretty low number of
failed attempts and a fairly wide time window period.
I used to pay attention to iptables reports and even once wrote a
database program to import/sort/report on them because if you have a box
on the Internet, you are going to get a lot of blocked attempts but I
really felt that virtually all of that time and energy was wasted. I am
no longer surprised nor worried about people port scanning my public IP
addresses any more.
I do employ SELinux these days for an added layer of protection but I
don't know that I've had a system compromised in the last 10 years...but
I did have several systems compromised a little over 10 years ago and
started taking security very seriously. I do scan my own systems to
verify which ports are open on the Internet.
If you really want to know where your network is weakest...look at your
wireless access point/router. But really, the biggest threat these days
is using a web browser because you can't even trust the web sites you
think that you trust.
I sleep pretty well at night.
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss