[sf-lug] how to whack crackers
sverma at sfsu.edu
Mon Jan 5 12:11:06 PST 2009
On Mon, Jan 5, 2009 at 9:34 AM, jim <jim at well.com> wrote:
> hoping for suggestions to defend against hackers:
> we've got a box on the internet using a speakeasy
> IP address. a linksys home router sees the front end
> and NATs traffic for ssh and http to the box, which
> is a node on the LAN running ubuntu server 8.10.
> crackers regularly knock on the door. we've
> implemented IP tables, though they don't work as we
> think they should. for example:
> we have a rule (one of many similar)
> -A INPUT -p tcp -m iprange \
> --src-range 188.8.131.52-184.108.40.206 \
> --dport 22 -j DROP
> iptables -L shows
> DROP tcp -- anywhere anywhere source IP range \
> 220.127.116.11-18.104.22.168 tcp dpt:ssh
> and yet /var/log/auth.log shows ssh login attempts
> for a variety of user names from
> the box has been cracked once already, we fixed
> that vulnerability (i didn't think about a well-known
> default user, ubuntu: someone guessed that user and
> password, which was probably a well-known default).
> ideas we have include
> * mount most filesystems in read-only mode (excepting
> /var/log/, which is a separate mount point)
> * have sshd listen on some upper port rather than 22
> (and change iptables rules accordingly)
> * have a cron job run every five minutes to monitor
> the box, mainly checking for weird user activity and
> probably shutting down the box upon discovering such.
> * /etc/hosts.deny has ALL=PARANOID and some ip addresses
> that crackers have used on us.
> we're not happy with our ideas as a complete defense
> and hope some of you will chime in with opinions about
> our ideas as well as ideas we haven't thought of.
> sf-lug mailing list
> sf-lug at linuxmafia.com
I use DenyHosts on all my Internet-facing machines. It works well for
Dr. Sameer Verma, Ph.D.
Associate Professor of Information Systems
San Francisco State University
San Francisco CA 94132 USA
More information about the sf-lug