[sf-lug] how to whack crackers

jim jim at well.com
Mon Jan 5 09:34:56 PST 2009

   hoping for suggestions to defend against hackers: 

   we've got a box on the internet using a speakeasy 
IP address. a linksys home router sees the front end 
and NATs traffic for ssh and http to the box, which 
is a node on the LAN running ubuntu server 8.10. 
   crackers regularly knock on the door. we've 
implemented IP tables, though they don't work as we 
think they should. for example: 

we have a rule (one of many similar) 
-A INPUT -p tcp -m iprange \
--src-range \
--dport 22 -j DROP 

iptables -L shows 
DROP  tcp  --  anywhere  anywhere  source IP range \ tcp dpt:ssh 

and yet /var/log/auth.log shows ssh login attempts 
for a variety of user names from 

   the box has been cracked once already, we fixed 
that vulnerability (i didn't think about a well-known 
default user, ubuntu: someone guessed that user and 
password, which was probably a well-known default). 

   ideas we have include 
* mount most filesystems in read-only mode (excepting 
/var/log/, which is a separate mount point)
* have sshd listen on some upper port rather than 22 
(and change iptables rules accordingly) 
* have a cron job run every five minutes to monitor 
the box, mainly checking for weird user activity and 
probably shutting down the box upon discovering such. 
* /etc/hosts.deny has ALL=PARANOID and some ip addresses 
that crackers have used on us. 

   we're not happy with our ideas as a complete defense 
and hope some of you will chime in with opinions about 
our ideas as well as ideas we haven't thought of. 

More information about the sf-lug mailing list