[Cialug] Re: RE: Port blocking - and unwanted intruders

cialug@cialug.org cialug@cialug.org
Tue, 07 Dec 2004 19:18:19 +0000


FWIW, my box was 0wned by someone in Israel.  It was really scary especially
since it was a day after a big virus was announced, and the experts said it was
from Israel.  The attack was via an ssh hole that allowed an overflow to occur,
allowing the user to log in.  I should also mention this was a personal machine.
 I know some people fall into the trap "who would want to hack into my
computer?".  The crackers don't care, all they see is a computer that can be
hacked.  It doesn't much matter if you're John Q. Public, or some large corporation.

Personally, I prefer to block it at the firewall level.  I feel the firewall is
much more stable than individual servers.  I log a lot of "events" just to keep
track of what's going on.  Unfortunately, it makes for very long logs, but at
least I can see if someone is trying things I'd really not want them to do.

I am thinking about adding extra security in case for some reason the firewall
allows an IP through when it shouldn't.  Hopefully between the 2 (or 3) levels,
everything that shouldn't be allowed in is kept out.

I too would be interested in seeing the script that generates a firewall rule.
--
Tim W.
> I have seen quite a few ssh attacks coming from South
> Korea, China, Argentina, Italy, Germany, and most
> recently from SBC (US based communications company). 
> I have blocked them with iptables and it's been quite
> effective.  I work at a DOE lab in Ames and similar
> attacks have been reported there as well.  They are
> hitting normal user accounts with names like patrick,
> george, adam, alan, andrew etc., as well as root,
> nobody, web, webmaster www, wwwrun etc.  It's most
> likely a script kid exploiting an ssh hack they know
> of.  Anyway your best defense is tcpwrappers with a
> firewall that blocks offending dirtbags.  Also make
> sure you keep your distribution up to date with
> security patches.  
> 
> I'd be interested in seeing the script mentioned
> earlier that looks at wrappers logs and generates a
> firewall rule.  
> 
> Regards,
> Ricky
> 
> 
> =====
> Ricky A. Kendall         
> Ames, Iowa
> rickyakendall@yahoo.com
> -----------------------------------------------------------
>                It takes a big dog to weigh a ton.
> -----------------------------------------------------------
> 
> 
> 		
> __________________________________ 
> Do you Yahoo!? 
> Yahoo! Mail - Helps protect you from nasty viruses. 
> http://promotions.yahoo.com/new_mail
> _______________________________________________
> Cialug mailing list
> Cialug@cialug.org
> http://cialug.org/mailman/listinfo/cialug