[sf-lug] how to whack crackers

Sameer Verma sverma at sfsu.edu
Mon Jan 5 12:11:06 PST 2009 

On Mon, Jan 5, 2009 at 9:34 AM, jim <jim at well.com> wrote:
>
>   hoping for suggestions to defend against hackers:
>
>
>   we've got a box on the internet using a speakeasy
> IP address. a linksys home router sees the front end
> and NATs traffic for ssh and http to the box, which
> is a node on the LAN running ubuntu server 8.10.
>   crackers regularly knock on the door. we've
> implemented IP tables, though they don't work as we
> think they should. for example:
>
> we have a rule (one of many similar)
> -A INPUT -p tcp -m iprange \
> --src-range 110.0.0.0-126.255.255.255 \
> --dport 22 -j DROP
>
> iptables -L shows
> DROP  tcp  --  anywhere  anywhere  source IP range \
> 110.0.0.0-126.255.255.255 tcp dpt:ssh
>
> and yet /var/log/auth.log shows ssh login attempts
> for a variety of user names from
> 124.93.200.34
>
>   the box has been cracked once already, we fixed
> that vulnerability (i didn't think about a well-known
> default user, ubuntu: someone guessed that user and
> password, which was probably a well-known default).
>
>   ideas we have include
> * mount most filesystems in read-only mode (excepting
> /var/log/, which is a separate mount point)
> * have sshd listen on some upper port rather than 22
> (and change iptables rules accordingly)
> * have a cron job run every five minutes to monitor
> the box, mainly checking for weird user activity and
> probably shutting down the box upon discovering such.
> * /etc/hosts.deny has ALL=PARANOID and some ip addresses
> that crackers have used on us.
>
>   we're not happy with our ideas as a complete defense
> and hope some of you will chime in with opinions about
> our ideas as well as ideas we haven't thought of.
>
>
>
>
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug
>

I use DenyHosts on all my Internet-facing machines. It works well for
us. http://opensource.sfsu.edu/node/122

Sameer
-- 
Dr. Sameer Verma, Ph.D.
Associate Professor of Information Systems
San Francisco State University
San Francisco CA 94132 USA
http://verma.sfsu.edu/
http://opensource.sfsu.edu/

More information about the sf-lug mailing list