[olug] attempted attacks

Sean Kelly smkelly at zombie.org
Tue Mar 8 18:00:48 UTC 2005


On Tue, Mar 08, 2005 at 09:26:41AM -0800, Eric Lusk wrote:
> yeah, I'm checking into several possibilities; just
> have the inability to log in as root, and setting a
> limit on login attempts is enough to deter most
> automated systems, at least.
> Anyone doing the attempts live is really bored.  I'll
> change usernames to non-standard names, I noticed the
> attempts were using common names to log in, like adam,
> etc.  So even adding numbers or using hackerspeak on
> usernames will greatly reduce the chance of an
> automated system getting in.  That, and making sure no
> one is using anything like a real word for a password.
>  (if you can guess my password, and then su as root, I
> must simply congratulate you).

Forcing users to change usernames and learning how to use SSH on a
non-standard port is not always a good solution. Security through obscurity
is only a weak form of covering one's ass.

The real trick is to deploy secure systems that use secure products with
secure authentication. Noticing the pattern? "Secure."

Depending on the skill level of the users on the machine, you might
consider using keys as an alternative to forcing username changes. In the
FreeBSD cluster, we're required to send admins@ a SSH public key, and then
we use that key and the associated passphrase to login to any machine in
the cluster. Standard passwords are not supported. As users, we can change
our key once logged in by uploading a new one, or we can e-mail a new one
to admins@ with sufficient proof of who we are.

As some others have already covered, you may also consider the use of a
firewall. On several of my machines, I maintain an ACL with lists of IPs
and netmasks for each user on the system. Only matching IPs can access some
services on the machines.

Another approach is to ignore it. Yes, ignore it. Shut down all the
services you don't really need (finger, RPCs, FTP, telnet, ...). Secure the
ones you do need either via SSH tunnelling with keys, firewall, or just by
using decent software and being fairly diligent at keeping it up to date.
Then, just ignore all the noise in syslog from automated crap banging on
your machine.

-- 
Sean Kelly         | PGP KeyID: D2E5E296
smkelly at zombie.org | http://www.zombie.org



More information about the OLUG mailing list