lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 12 Feb 2008 13:20:24 +0100
From: Tonnerre Lombard <tonnerre.lombard@...roup.ch>
To: Keith Kilroy <keith@...uritynow.us>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Brute force attack - need your advice

Salut, Keith,

On Tue, 12 Feb 2008 03:21:20 -0500, Keith Kilroy wrote:
> Lock down your server so only needed ports are open, move ssh above  
> the norm scan range, setup SNORT and learn how to use it, harden and  
> update all progz. Check for web app holes.....buffer overflows etc.

While I agree with locking down and checking for vulnerabilities, I
personally think that Snort is snake oil. It hardly ever detected
attacks for me which could have harmed my systems. (There were quite a
bunch of them, but they went mostly unnoticed.)

There are behavior based, autolearning IDS modes, but I've had my
experiences with jumping in public parking lots (which caused terror
alert because the IDS wasn't used to people jumping), so I am quite
sceptic of that as well.

> The only box that is safe is the one unplugged hdd removed and  
> destroyed and rest of system locked in a closet.

Apart from the fact that you cannot destroy a hard disk in a way that
makes it unrecoverable (with expensive equipment and time), this is
pure populism.

> Just perform your due diligence and watch and archive your logs.

I agree here; and don't log to syslog on localhost, have a separate
logging host like syslog is intended to be used...

> are targeted at those guys), ever heard of DDOS and botnets. move all  
> default ports you can and have their services report different than  
> what is really there.

This is security by obscurity. If you just fiddle with the ports which
were open for a second, it is pretty easy to determine which service is
running on it. I see no point at all in all of this port changing.

> If you are detecting the brute force attacks then you can stop them.

Apart from the bandwidth induced, bruteforce attacks are pretty useless
if you have sanely chosen passwords. And in the age of Tengig networks,
the bandwidth penalty is minimal.

> anyway. Just try to stay ahead of the curve. Harden, log, respond. Oh
> yeah be sure to perform your backups, if someone besides a Script

I totally agree to backups though, for various reasons[1]. ;-)

> [Lines of acute paranoia scrapped]
> securing your stuff and monitoring with dynamic blocking that times
> out after a period of time. Rank the attacker when it hits a 5
> blockem for 30 min then if it reoccurs and they achieve a high score

This is pretty useful for various purposes, also for saving bandwidth
used by brute force attackers. But I don't agree to ...

> write. Heck you can even google and download some to get you started.

...using any script Google finds, some have nasty bugs and blacklist
the wrong hosts (e.g. if you set an user name with spaces). You clearly
don't want your DNS server blacklisted, for example.

				Tonnerre

[1]: No, a RAID1 is not a backup.
-- 
SyGroup GmbH
Tonnerre Lombard

Solutions Systematiques
Tel:+41 61 333 80 33		Güterstrasse 86
Fax:+41 61 383 14 67		4053 Basel
Web:www.sygroup.ch		tonnerre.lombard@...roup.ch

Download attachment "signature.asc" of type "application/pgp-signature" (825 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ