Jump to content
Gowator

Crackers!

Recommended Posts

I thought linux was supposed to be safe. I didn´t even have a password on my admin in XP, and in 3 years of nearly being online continuesly, surfing pr0n :P and warez, nothing ever happened to my system :o

Share this post


Link to post
Share on other sites
Maybe it did ;)

 

 

I did have a firewall running and occassionally it would warn me about port scan, but never a full fledged attack and when I got my new modem/router even these stopped...

Share this post


Link to post
Share on other sites

gowators' box acted as a server I assume.. so its more prone to breakin attempt... lots of service are running, ssh of course for remote admin,. desktop linux usually should not have an ssh server running on it, unless if you want to access on it from remote.

 

to make the ssh more secure, try to hide it on internet...

 

- you can have two eth, make sshd listen to eth connected to LAN or trusted network...

- you can also disable the ssh and connect on that box via dial-up... that if you dont need to transfer large files..., just for administration

Edited by aioshin

Share this post


Link to post
Share on other sites

These are well known brute force attacks on ssh that came out last year:

 

http://www.whitedust.net/article/27/Recent...orce%20Attacks/

 

If you google you will find plenty of info on this phenomena and countermeasures. I think the best counter is to dump passwords for ssh altogether and use key based authentication:

 

http://www.securityfocus.com/infocus/1810

Share this post


Link to post
Share on other sites
I thought linux was supposed to be safe. I didn´t even have a password on my admin in XP, and in 3 years of nearly being online continuesly, surfing pr0n :P and warez, nothing ever happened to my system :o

Well considering it has stood up to several thousand attacks I'd day Linux is pretty safe.

 

 

pmpatrick: thanks, that was most informative.

Share this post


Link to post
Share on other sites
I didn´t even have a password on my admin in XP

Did you have a firewall and/or NAV running? If you didn't at least have a firewall then you were lucky. Or maybe you just never noticed it.

 

An unsecured XP machine can be compromised within 15 minutes of being on the internet (statistically). I've seen it happen, it's pretty ugly.

 

There is no such thing as a safe operating system (as opposed to "safer", i.e. Linux is safer than Windows) - once a computer is put on the 'net it's at risk, and anyone with the patience and knowledge will be able to crack it.

Share this post


Link to post
Share on other sites
There is no such thing as a safe operating system - once a computer is put on the 'net it's at risk, and anyone with the patience and knowledge will be able to crack it.

Its rather lucky the majority of the script kiddies have no knowledge....

The link pmpatrick posted has some good observations but as you say its a matter of time if someone is really determined.

From what I can see from the sources they are hijacking other machines to make attacks on others.

Share this post


Link to post
Share on other sites
Did you have a firewall and/or NAV running? If you didn't at least have a firewall then you were lucky. Or maybe you just never noticed it.

Yeah, initially just an AV + Firewall, later I had to buy a new modem which has NAT and a firewall. In the beginning I used to scan constantly but I never found anything. And like I said elsewhere in this thread, I had the occasional portscan...

 

I am not running a firewall now though, because I think it´s a waste of resources, my router has an IP-tables based firewall anyway....

Share this post


Link to post
Share on other sites

If anyone wants a quick look I have a live log at

 

 

edits:refresh to see latest

 

edits2: Now removed since I have a few valid logins...

Edited by Gowator

Share this post


Link to post
Share on other sites

While Gowator's attacks go on for hours, I now have one or two instances of 3x "Invalid user" + 1x "LimitCons "DROP"" per day, not more than that. Because if you are dropping their connections for half an hour, they don't re-appear after that.

 

I used this page -- Mitigating SSH brute force attacks -- to arrange blocking of the intruders. It uses shorewall and ipt-recent module, which is installed in Mandriva as well.

Share this post


Link to post
Share on other sites

Im wondering about sticking a port forwarding option that basically extracts the source IP connections stats and redirects them back where they originated.

 

anyone have thoughts on this?

Share this post


Link to post
Share on other sites

i always just setup up a firewall to only allow connections from IPs/IP ranges I know I'll be sshing in from, that way it just drops everything else.

Share this post


Link to post
Share on other sites
i always just setup up a firewall to only allow connections from IPs/IP ranges I know I'll be sshing in from, that way it just drops everything else.

I might have to do that, its annoying because i often need to connect from random places to add something etc. but currently I have just blocked everything not sctrictly needed, created a ssh user with a very complex username and passwd and blocked every other user from ssh.

Share this post


Link to post
Share on other sites

I've mentioned these before on this forum, but I'll say it again - this best tools I've found to harden a Linux box are Portsentry (an excellent port scan detector/blocker) and Bastille (a firewalling & comprehensive system hardening tool). I've used these for years and they're easy to configure and very effective. Install and configure these properly, along with a rootkit scanner, and you should have little to worry about. Unfortunately, they are no longer included with Mandriva, though I can't understand why not, most other major distros still offer packages. But I found rpms that worked on my 10.1 box. Didn't have to resort to using Checkinstall or compiling. They can likely be installed on 2006 without much, if any, hassle.

 

I've rarely used SSH so I'm no expert there, but tyme's suggestion of limiting IP's (and of course using a non-standard port number) sounds simple and effective to me.

 

ffi said:

I am not running a firewall now though, because I think it's a waste of resources, my router has an IP-tables based firewall anyway....

 

I always run both a hardware AND software firewall. The resources used by a software firewall are infinitesimal, the chances of your router being bypassed by a cracker are not. 2 firewallls are always better than 1.

If your unsecured XPee system never got hacked/infected, you're simply lucky. I've disinfected or reinstalled Windoze plenty of times for people who weren't so fortunate. The security of XP is horrible, only a notch better than Win98 and certainly a far step backward from even the basic security Win2k offered.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...