[sf-lug] how to whack crackers

Rick Moen rick at linuxmafia.com
Mon Jan 5 15:38:36 PST 2009 

Quoting Asheesh Laroia (asheesh at asheesh.org):

> I was going to make suggestions, but then I thought:
> Rick will say everything I will.
> 
> So I waited, and now Rick has again impressed me with the sanity and 
> referencing of his analysis. Cheers!

Well, thank you indeed!

One point of clarification, to my earlier post:  The term "joe account",
if you look it up, is defined as "account with the password set the same
as the username".  One gathers that there might have been some eponymous
Joseph with username "joe" who found password "joe" easiest to remember.

However, what I really meant was an extension of that concept:  I meant
"account with easily guessable password", not just password literally
the same as username.  The scripts that roam the Internet attempting
to brute-force anything that looks like an sshd work based on lists of
plausible, common passwords to attempt with a related list of plausible,
common usernames.

> The way I'd phrase one point is: Your time spent fiddling with iptables 
> here is probably time wasted, as per his hotel break-in analogy.

Right.  

The only think I try to do on my own iptables setup is "bogon filtering"
-- rejecting packets with not-valid IPs for the side of the network they
arrive on.  I try not to rely on hostaccess (/etc/hosts.allow,
/etc/hosts.deny) blocking, either.

Why?  Because, if a process is vulnerable to attack, it's smarter to
either not run it at all or not expose it to _any_ network.  I therefore
concentrate my effort on making sure attacks cannot _succeed_, instead
of trying to surround my machine with a magic moat.

The only exception is that leafnode, which I run for locally defined
NNTP newsgroups, has no capability for access control, which means by
itself it would be vulnerable to "comment spam" via remote NNTP.  So, 
I use /etc/hosts.allow to permit NNTP connections _only_ from IP
addresses of people (like Daniel Gimpelevich) who've requested it, and
have this stuff in /etc/hosts.deny to block all others:

leafnode: ALL
news: ALL
nntp: ALL

(Only one of those is needed, but I was too lazy to figure out which
one.)

More information about the sf-lug mailing list