[sf-lug] how to whack crackers
jim at well.com
Mon Jan 5 09:34:56 PST 2009
hoping for suggestions to defend against hackers:
we've got a box on the internet using a speakeasy
IP address. a linksys home router sees the front end
and NATs traffic for ssh and http to the box, which
is a node on the LAN running ubuntu server 8.10.
crackers regularly knock on the door. we've
implemented IP tables, though they don't work as we
think they should. for example:
we have a rule (one of many similar)
-A INPUT -p tcp -m iprange \
--src-range 184.108.40.206-220.127.116.11 \
--dport 22 -j DROP
iptables -L shows
DROP tcp -- anywhere anywhere source IP range \
18.104.22.168-22.214.171.124 tcp dpt:ssh
and yet /var/log/auth.log shows ssh login attempts
for a variety of user names from
the box has been cracked once already, we fixed
that vulnerability (i didn't think about a well-known
default user, ubuntu: someone guessed that user and
password, which was probably a well-known default).
ideas we have include
* mount most filesystems in read-only mode (excepting
/var/log/, which is a separate mount point)
* have sshd listen on some upper port rather than 22
(and change iptables rules accordingly)
* have a cron job run every five minutes to monitor
the box, mainly checking for weird user activity and
probably shutting down the box upon discovering such.
* /etc/hosts.deny has ALL=PARANOID and some ip addresses
that crackers have used on us.
we're not happy with our ideas as a complete defense
and hope some of you will chime in with opinions about
our ideas as well as ideas we haven't thought of.
More information about the sf-lug