--- "D. Hageman" wrote:
On Sat, 30 Apr 2005, Jack wrote:
Taking the box offline would take down my mail
server.
I use this yahoo account for kclug, but I get all
my
regular mail through accounts on my mail server. I didn't say the box has been compromised, I just
want
advice on blocking these attacks as much as
possible.
But I don't want to bring my box to a crawl to do
it.
You should consider getting a secondary MX server. There will be times where you just can't avoid having the box be inaccessible. If you had a secondary MX this would be a non-issue.
I would like to add a secondary MX box. It's on my wish list. However, I don't see how that would make it a non-issue. If I take one box down, then the second one would become the attack target. I'm looking for solution to reduce the attacks. The box is a "busy box", that is running several services. It runs the firewall, webserver, mail server and of course is also hosting ssh access. The primary attack is focused on the sshd. The system is running stable with one or two services apt-pinned to testing and has the latest patches. I've analysed the system remotely a little and didn't see any indications of the system actually getting cracked. I'm primarily looking for techniques and suggesstions on ways to further lock out these crackers, without bogging down the box. Also on the remote checking of the system, what are some favorite tools for this?
Thanks, Brian
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Jack wrote:
--- "D. Hageman" wrote:
On Sat, 30 Apr 2005, Jack wrote:
Taking the box offline would take down my mail
server.
I use this yahoo account for kclug, but I get all
my
regular mail through accounts on my mail server. I didn't say the box has been compromised, I just
want
advice on blocking these attacks as much as
possible.
But I don't want to bring my box to a crawl to do
it.
You should consider getting a secondary MX server. There will be times where you just can't avoid having the box be inaccessible. If you had a secondary MX this would be a non-issue.
I would like to add a secondary MX box. It's on my wish list. However, I don't see how that would make it a non-issue. If I take one box down, then the second one would become the attack target. I'm looking for solution to reduce the attacks. The box is a "busy box", that is running several services. It runs the firewall, webserver, mail server and of course is also hosting ssh access. The primary attack is focused on the sshd. The system is running stable with one or two services apt-pinned to testing and has the latest patches. I've analysed the system remotely a little and didn't see any indications of the system actually getting cracked. I'm primarily looking for techniques and suggesstions on ways to further lock out these crackers, without bogging down the box. Also on the remote checking of the system, what are some favorite tools for this?
Thanks, Brian
Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Kclug mailing list [email protected] http://kclug.org/mailman/listinfo/kclug
If all they are doing is the usual BS ssh sniffing, run sshd on a non-standard port.... I usually run mine on something like 2280, that way its easy to remember but wont get scanned since the kiddies dont seem to do an actual nmap. From what Ive seen, all they really do is IP a netblock range and run a script that looks for a session connection and once it finds one, does dictionary scans with common names like "test" and then regular names. or another thing you can do, is use shared key auth. just an idea.
matt
If all they are doing is the usual BS ssh sniffing, run sshd on a non-standard port.... I usually run mine on something like 2280, that way its easy to remember but wont get scanned since the kiddies dont seem to do an actual nmap. From what Ive seen, all they really do is IP a netblock range and run a script that looks for a session connection and once it finds one, does dictionary scans with common names like "test" and then regular names. or another thing you can do, is use shared key auth. just an idea.
I was getting blasted with these bot scans/connects to sshd port, and then all I did was change port to 222 in sshd_config and the logs don't have any scans/connects to this port other then me. I think changing the port would probably help, with blocking ips. I think changing the port will make considerable differences in the attacks.
Thanks,
Jonathan
On Sat, 30 Apr 2005, Jack wrote:
--- "D. Hageman" wrote:
On Sat, 30 Apr 2005, Jack wrote:
Taking the box offline would take down my mail
server.
I use this yahoo account for kclug, but I get all
my
regular mail through accounts on my mail server. I didn't say the box has been compromised, I just
want
advice on blocking these attacks as much as
possible.
But I don't want to bring my box to a crawl to do
it.
You should consider getting a secondary MX server. There will be times where you just can't avoid having the box be inaccessible. If you had a secondary MX this would be a non-issue.
I would like to add a secondary MX box. It's on my wish list. However, I don't see how that would make it a non-issue. If I take one box down, then the second one would become the attack target. I'm looking for solution to reduce the attacks. The box is a "busy box", that is running several services. It runs the firewall, webserver, mail server and of course is also hosting ssh access. The primary attack is focused on the sshd. The system is running stable with one or two services apt-pinned to testing and has the latest patches. I've analysed the system remotely a little and didn't see any indications of the system actually getting cracked. I'm primarily looking for techniques and suggesstions on ways to further lock out these crackers, without bogging down the box. Also on the remote checking of the system, what are some favorite tools for this?
I think your analysis of them changing their attack to a secondary would be incorrect. You stated that the primary attack was against SSHD. It sounds to me they did a basic port scan on the box and started attack the various pieces of software for which they had exploits/attacks. At this point if you dropped the box making it look like the box crashed, then they would probably give up and move on. This is assuming that you didn't do something to tick off someone or that you don't have something that someone really really wants. At any rate, the mail would spool up on your secondary (preferably on some other network) and become available again once your primary was back up.
In truth, there is only so much you can do against a large number of attacks - hence the whole slashdot effect. ;-) The main thing you can do is reduce the number of services on each box and add more machines with the services to spread out the number of targets. Firewall as many services you can to specific networks that you will know you will use. Obviously, some services have to be more open (mail), but those usually have rate limiters to help against DoS attacks. If they are probe attacks, well ... what can you do? If your services are spread out then doing things like dropping routes to networks and auto setting up firewalls rules isn't so hard on the individual machines.
You could also run a script periodically that would look for attacks and auto-magically mail the owner of the IP address block with an abuse complaint. Make sure you send the log information to them as well.
Good Luck!
//========================================================\ || D. Hageman [email protected] || \========================================================//
On Sat, 30 Apr 2005 21:52:02 -0700 (PDT) Jack [email protected] wrote:
I would like to add a secondary MX box. It's on my wish list. However, I don't see how that would make it a non-issue. If I take one box down, then the second one would become the attack target. I'm looking for solution to reduce the attacks. The box is a "busy box", that is running several services. It runs the firewall, webserver, mail server and of course is also hosting ssh access. The primary attack is focused on the sshd. The system is running stable with one or two services apt-pinned to testing and has the latest patches. I've analysed the system remotely a little and didn't see any indications of the system actually getting cracked. I'm primarily looking for techniques and suggesstions on ways to further lock out these crackers, without bogging down the box. Also on the remote checking of the system, what are some favorite tools for this?
The best way to lock out these attackers is to simply use iptables to block their IPs from accessing your system. It doesn't prevent a DoS on your available bandwidth, but it keeps them from bugging your system. I'm not sure why this hasn't been suggested before.
--------------------------------- Frank Wiles [email protected] http://www.wiles.org ---------------------------------
-
D. Hageman -
Frank Wiles -
Jack -
Jonathan -
Matthew T. Eskes