[gentoo-user] Brutal force attack

[gentoo-user] Brutal force attack

[Luigi Pinna]

[-- Attachment #1: Type: text/plain, Size: 344 bytes --]

I read now from my logs that there is someone who try to login in my 
computer.
He uses always dynamic ip address or in every case he changes his ip 
everyday.
What can I do?
I have all the ip but it is first time that I see an attack versus me
Thanks for the tips
Luigi
-- 

Public key GPG(0x073A0960) on http://keyserver.linux.it/

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Brutal force attack

[fire-eyes]

On Mon, 2004-12-06 at 20:12 +0100, Luigi Pinna wrote:
> I read now from my logs that there is someone who try to login in my 
> computer.
> He uses always dynamic ip address or in every case he changes his ip 
> everyday.
> What can I do?
> I have all the ip but it is first time that I see an attack versus me
> Thanks for the tips
> Luigi

Assuming they are not spoofed IP's, then you need to contact the owner
of those IP's. The whois command (shell, not irc) will help you here.
But don't expect much help, most networks view stopping such attacks as
a waste of their money.

The next best thing to do would be to talk to your own service provider.
Unfortunately, most of the time they will have zero clue what in the
heck you are talking about.

In the end you'll probably have to take it into your own hands, put up a
firewall, etc. Of course, a firewall won't help much if the attack is so
heavy it eats up your bandwidth.

Good luck, this is never easy.

-- 
fire-eyes <sgtphou@fire-eyes.dynup.net>
-


--
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Brutal force attack

[Matan Peled]

[-- Attachment #1: Type: text/plain, Size: 414 bytes --]

Luigi Pinna wrote:

>I read now from my logs that there is someone who try to login in my 
>computer.
>He uses always dynamic ip address or in every case he changes his ip 
>everyday.
>What can I do?
>I have all the ip but it is first time that I see an attack versus me
>Thanks for the tips
>Luigi
>  
>
Looking at this might be a good idea as well.

http://forums.gentoo.org/viewtopic.php?t=260779

Good Luck!



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Brutal force attack

[Adrian CAPDEFIER]

Pe data de Luni 06 Decembrie 2004 21:12, Luigi Pinna a scris:
> I read now from my logs that there is someone who try to login in my
> computer.
> He uses always dynamic ip address or in every case he changes his ip
> everyday.
> What can I do?
> I have all the ip but it is first time that I see an attack versus me
> Thanks for the tips
> Luigi

is he doing that using ssh? If your computer is not a public server where 
people expect to connect on port 22 then you can alter the port to say 2222. 
One of the best security measures around :). You could also disable password 
logins and go for key-based authentification (assuming this doesn't restrict 
you in some way)

Good luck.

Adi.

--
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Brutal force attack

[Luigi Pinna]

[-- Attachment #1: Type: text/plain, Size: 930 bytes --]

Alle 22:28, lunedì 06 dicembre 2004, Adrian CAPDEFIER ha scritto:

>
> is he doing that using ssh? If your computer is not a public server
> where people expect to connect on port 22 then you can alter the port
> to say 2222. One of the best security measures around :). You could
> also disable password logins and go for key-based authentification
> (assuming this doesn't restrict you in some way)
>
> Good luck.
>
> Adi.

No, my computer is not a public server, I can change the listen port; 
I'd use key and password: usually I connect from the same machine.
I want to do that: a rda key from the host  allows to connect to the ssh 
server and after the usual authentication.
Now I try to install a firewall and after that I'd do that.
Is it complicated?
In this moment I try to learn about firewall-kernel-2.6 modules...
Thanks,
Luigi

-- 

Public key GPG(0x073A0960) on http://keyserver.linux.it/

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Brutal force attack

[Mike]

On Mon, 6 Dec 2004 20:12:19 +0100, Luigi Pinna
<mailing-gentoo@sailorferris.com> wrote:
> I read now from my logs that there is someone who try to login in my
> computer.
> He uses always dynamic ip address or in every case he changes his ip
> everyday.
> What can I do?
> I have all the ip but it is first time that I see an attack versus me
> Thanks for the tips
> Luigi

If they are trying to login via ssh, and you don't need remote ssh
access, turn off sshd. If you do need remote access, see if you can
limit the allowed addresses. At home, I have sshd configured to only
allow access from work, which is reasonably expected to be me.

Mike

--
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Brutal force attack

[Kent Borg]

On Mon, Dec 06, 2004 at 11:28:03PM +0200, Adrian CAPDEFIER wrote:
> Pe data de Luni 06 Decembrie 2004 21:12, Luigi Pinna a scris:
> > I read now from my logs that there is someone who try to login in my
> > computer.
> > He uses always dynamic ip address or in every case he changes his ip
> > everyday.
> > What can I do?
> > I have all the ip but it is first time that I see an attack versus me
> > Thanks for the tips
> > Luigi
> 
> is he doing that using ssh? If your computer is not a public server where 
> people expect to connect on port 22 then you can alter the port to say 2222. 
> One of the best security measures around :). 

No!  I once worked someplace where a machine was on the net and not
carefully maintained.  ssh was running on a non-standard port, and it
was rooted via an unpatched hole.

I suggest keeping your machine up to date and pached with the latest
security fixes, and making sure you have good passwords on your
accounts.  If you offer accounts to any friends named Frank, Joe, or
Jim, make sure they have good passwords, for those are very guessable
user names.

I get failed logins most days, but my passwords are pretty
unguessable.  I choose a password by taking 4 bytes from /dev/random
and run them through mnencode.  See a previous posting of mine:
http://www.redhat.com/archives/redhat-list/2003-March/msg02072.html.
My technique gives me a very memorable password that still have
32-bits (4 billion combinations) of entropy in it.

-kb

--
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Brutal force attack

[Adrian CAPDEFIER]

Pe data de Luni 06 Decembrie 2004 23:42, Luigi Pinna a scris:
> Alle 22:28, lunedì 06 dicembre 2004, Adrian CAPDEFIER ha scritto:
> > is he doing that using ssh? If your computer is not a public server
> > where people expect to connect on port 22 then you can alter the port
> > to say 2222. One of the best security measures around :). You could
> > also disable password logins and go for key-based authentification
> > (assuming this doesn't restrict you in some way)
> >
> > Good luck.
> >
> > Adi.
>
> No, my computer is not a public server, I can change the listen port;
> I'd use key and password: usually I connect from the same machine.
> I want to do that: a rda key from the host  allows to connect to the ssh
> server and after the usual authentication.
> Now I try to install a firewall and after that I'd do that.
> Is it complicated?
> In this moment I try to learn about firewall-kernel-2.6 modules...
> Thanks,
> Luigi

A firewall is a must for every putter connected to the Internet IMO. If you 
install one you can allow access on port 22 to only some hosts and deny to 
everyone else (or the other way arround).
Alternatively if you're feeling devilish and bored you could also install a 
traffic shaper and make the incomming speed on port 22 (except for some 
hosts) to 1B/s >:)

If you want I can e-mail to you a version of my script used for neghibourhood 
routing that I use to protect my personal computer.

Adi.

--
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Brutal force attack

[Luigi Pinna]

[-- Attachment #1: Type: text/plain, Size: 1020 bytes --]

Alle 23:04, lunedì 06 dicembre 2004, Adrian CAPDEFIER ha scritto:

> A firewall is a must for every putter connected to the Internet IMO.
> If you install one you can allow access on port 22 to only some hosts
> and deny to everyone else (or the other way arround).
> Alternatively if you're feeling devilish and bored you could also
> install a traffic shaper and make the incomming speed on port 22
> (except for some hosts) to 1B/s >:)
>
> If you want I can e-mail to you a version of my script used for
> neghibourhood routing that I use to protect my personal computer.
>
> Adi.

I tried to install a trafic shaper without lucky... (I'd like to limit 
some application as p2p when I connect from remote).
I'd like to have your script; only 2 questions:
1) Is it for 2.6.X kernels? Because the name modules are different
2) Can you help me in kernel confguration? I to fear to forget the right 
options...
Thanks a lot,
Luigi 

-- 

Public key GPG(0x073A0960) on http://keyserver.linux.it/

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Brutal force attack

[Adrian CAPDEFIER]

[-- Attachment #1: Type: text/plain, Size: 540 bytes --]

Pe data de Marţi 07 Decembrie 2004 00:05, a-ţi scris:
> I tried to install a trafic shaper without lucky... (I'd like to limit
> some application as p2p when I connect from remote).
> I'd like to have your script; only 2 questions:
> 1) Is it for 2.6.X kernels? Because the name modules are different
> 2) Can you help me in kernel confguration? I to fear to forget the right
> options...
> Thanks a lot,
> Luigi

1) Yes
2) So just edit /etc/terminus/modules and type in the modules you want

Sure I can ... for 2.6

Adi.

[-- Attachment #2: terminus.tar.bz2 --]
[-- Type: application/x-tbz, Size: 6218 bytes --]

[-- Attachment #3: Type: text/plain, Size: 38 bytes --]

--
gentoo-user@gentoo.org mailing list

[gentoo-user] P.S.Re: [gentoo-user] Brutal force attack

[Adrian CAPDEFIER]

I forgot to mention:

this script just configures iptables so you need to:
# rc-update add terminus default
# rc-update add iptables default

The main body of processing is done in /etc/init.d/terminus. If using 2.6 
kernel (which I prefer) you should only edit config files in /etc/terminus 
and /etc/conf.d/terminus. Since AFAIK iptables is the same for 2.4 and 2.6 
you shouldn't have to alter anything (except for module names as you pointed 
out), but if you have to then it will be in /etc/init.d/terminus. Again if I 
can help you I will.
Gnite!

Adi.

--
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Brutal force attack

[Adrian CAPDEFIER]

Pe data de Marţi 07 Decembrie 2004 00:20, Adrian CAPDEFIER a scris:
> Pe data de Marţi 07 Decembrie 2004 00:05, a-ţi scris:
> > I tried to install a trafic shaper without lucky... (I'd like to limit
> > some application as p2p when I connect from remote).
> > I'd like to have your script; only 2 questions:
> > 1) Is it for 2.6.X kernels? Because the name modules are different
> > 2) Can you help me in kernel confguration? I to fear to forget the right
> > options...
> > Thanks a lot,
> > Luigi
>
> 1) Yes
> 2) So just edit /etc/terminus/modules and type in the modules you want
>
> Sure I can ... for 2.6
>
> Adi.
Sorry to all for the reply to the list with the atachment (I though reply to 
author in kmail means something else than reply to mailing list)

Adi.

--
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Brutal force attack

[Alan]

[-- Attachment #1: Type: text/plain, Size: 821 bytes --]

On Mon, Dec 06, 2004 at 08:12:19PM +0100, Luigi Pinna wrote:
> I read now from my logs that there is someone who try to login in my 
> computer.
> He uses always dynamic ip address or in every case he changes his ip 
> everyday.
> What can I do?
> I have all the ip but it is first time that I see an attack versus me
> Thanks for the tips

If it makes you feel any better my two servers get hundreds of these a
day.  I run logwatch and keep an eye on both the 'failed ssh logins'
section and the 'sucessful ssh logins' section and make sure that the
logins are from people I know instead of random IPs.

alan



-- 
Alan <alan@ufies.org> - http://arcterex.net
--------------------------------------------------------------------
"Backups are for people who don't pray."                 -- big Mike

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Brutal force attack

[Niklas Herder]

Adrian CAPDEFIER wrote:
> A firewall is a must for every putter connected to the Internet IMO. If you 
> install one you can allow access on port 22 to only some hosts and deny to 
> everyone else (or the other way arround).
> Alternatively if you're feeling devilish and bored you could also install a 
> traffic shaper and make the incomming speed on port 22 (except for some 
> hosts) to 1B/s >:)
> 

Or you could use a tarpit >:)

http://www.securityfocus.com/infocus/1723
http://labrea.sourceforge.net/labrea-info.html

/N

--
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Brutal force attack

[Kevin O'Gorman]

Note: labrea (version 2.5) is already in portage.

++ kevin


On Tue, 07 Dec 2004 10:45:47 +0100, Niklas Herder <herder@dsv.su.se> wrote:
> Adrian CAPDEFIER wrote:
> > A firewall is a must for every putter connected to the Internet IMO. If you
> > install one you can allow access on port 22 to only some hosts and deny to
> > everyone else (or the other way arround).
> > Alternatively if you're feeling devilish and bored you could also install a
> > traffic shaper and make the incomming speed on port 22 (except for some
> > hosts) to 1B/s >:)
> >
> 
> Or you could use a tarpit >:)
> 
> http://www.securityfocus.com/infocus/1723
> http://labrea.sourceforge.net/labrea-info.html
> 
> /N
> 
> 
> 
> --
> gentoo-user@gentoo.org mailing list
> 
> 


-- 
Go back to the top: I almost always top-post
Kevin O'Gorman, PhD

--
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] P.S.Re: [gentoo-user] Brutal force attack

[Luigi Pinna]

[-- Attachment #1: Type: text/plain, Size: 1097 bytes --]

Alle 23:24, lunedì 06 dicembre 2004, Adrian CAPDEFIER ha scritto:
> I forgot to mention:
>
> this script just configures iptables so you need to:
> # rc-update add terminus default
> # rc-update add iptables default
>
> The main body of processing is done in /etc/init.d/terminus. If using
> 2.6 kernel (which I prefer) you should only edit config files in
> /etc/terminus and /etc/conf.d/terminus. Since AFAIK iptables is the
> same for 2.4 and 2.6 you shouldn't have to alter anything (except for
> module names as you pointed out), but if you have to then it will be
> in /etc/init.d/terminus. Again if I can help you I will.
> Gnite!
>
> Adi.

Thanks a lot!
I have almost my firewall configed!
Now I have some question about the default policy:
I cannot check or change the default policy (is it deny or drop?) and 
I'm not sure about what happen when I estabilish a connection (I want 
to use a rule that allows all connections starting from my computer.
Can you explain me that?
Thanks a lot
Luigi

-- 

Public key GPG(0x073A0960) on http://keyserver.linux.it/

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] P.S.Re: [gentoo-user] Brutal force attack

[Adrian CAPDEFIER]

Pe data de Marţi 07 Decembrie 2004 22:06, Luigi Pinna a scris:
> Thanks a lot!
> I have almost my firewall configed!
> Now I have some question about the default policy:
> I cannot check or change the default policy (is it deny or drop?) and
> I'm not sure about what happen when I estabilish a connection (I want
> to use a rule that allows all connections starting from my computer.
> Can you explain me that?
> Thanks a lot
> Luigi

You're welcome :)
The default policy is to drop the packets like an ugly baby :) (I'm kidding 
here. I actually like babies). I haven't thought of changing the default 
policy. So a packet goes through external.deny->external.allow->drop with  
one stopping point.
All connections originating from localhost/LANip are allowed by default. I saw 
no reason otherwise.

Adi.

--
gentoo-user@gentoo.org mailing list