lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 12 Feb 2008 14:21:02 +0530
From: "Abilash Praveen" <contactme@...lashpraveen.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Brute force attack - need your advice

Hello experts,

Thank for all your rude, honest, polite, helpful replies. I'm really glad I
posted here and most of your replies (if not all) are very useful to me.
Sorry iam not able to reply individually to everyone and thank you. I've
been using a couple of servers and it was very unusal for me to get brute
force on the server in which my persona website is hosted. That is the
reason i posted this question.

Anyway, I shall keep the server tight. Thanks for the port scan report you
have pasted and also the advice on keeping the SSH on a different port.
Thanks again to everyone who has replied.

Kind regards,
Abilash


On 2/12/08, Keith Kilroy <keith@...uritynow.us> wrote:
>
> Lock down your server so only needed ports are open, move ssh above
> the norm scan range, setup SNORT and learn how to use it, harden and
> update all progz. Check for web app holes.....buffer overflows etc.
>
> The only box that is safe is the one unplugged hdd removed and
> destroyed and rest of system locked in a closet.
>
> I just came off a gig with a presidential candidate (a lot of attacks
> are targeted at those guys), ever heard of DDOS and botnets. move all
> default ports you can and have their services report different than
> what is really there.
>
> Just perform your due diligence and watch and archive your logs.
>
> If you are detecting the brute force attacks then you can stop them.
>
> Believe me if you've posted anywhere before your email is out anyway.
> Just try to stay ahead of the curve. Harden, log, respond. Oh yeah be
> sure to perform your backups, if someone besides a Script Kiddie wants
> in they'll get in. The only way to get ISP's to cooperate sometimes
> involve getting the FBI involved (very fun and time consuming) but be
> ready for them to seize your servers until either you (if a forensic
> specialist) or they create a sound image /w hashes of your drives. but
> most can be traced to the source if it too bad, you'll just go through
> hell and strict guidelines that must be followed if you get them
> involved. But if you try to hack back you'll be on the wrong side of
> the bars. so tread lightly. better off securing your stuff and
> monitoring with dynamic blocking that times out after a period of
> time. Rank the attacker when it hits a 5 blockem for 30 min then if it
> reoccurs and they achieve a high score then auto block em again
> longer. the scripts are not that hard to write. Heck you can even
> google and download some to get you started. chances are if you are
> not real easy to exploit  they'll move on to the next box.
>
> Most here would rather report the vulnerabilities so you can fix em.
>
> my 2cents take it for what it's worth.
>
> On Feb 12, 2008, at 2:41 AM, Tonnerre Lombard wrote:
>
> > Salut, Abilash,
> >
> > On Tue, 12 Feb 2008 02:16:02 +0530, Abilash Praveen wrote:
> >> I had been talking to our web hosts the other day and they seem to
> >> have a lot of unusual brute force attack on the servers recently. I'm
> >> guessing that it could be because of my emails to the list? I mean,
> >> do you advice on using a personal email for this type of list? Or
> >> should I use something like @ gmail.com? I know they can't easily
> >> break in to our servers, but am I just giving them a chance?
> >
> > I don't really think that this is closely related to the use of your
> > mail address. Outside in the real nature, there is rain/snow/whatever,
> > which occurs from time to time in some type of natural cycle, and you
> > can't help it.
> >
> > The same goes for SPAM and worms/virii/other automated attacks.
> > They'll
> > always be there, like the rain and the show. What you should do is put
> > on a rain coat: make sure your systems are up to date and looking
> > regularly for holes in the coat. Keep the SPAM and worms off yourself,
> > and whatever flies through your network is just random noise.
> >
> > (But please don't deduce from this posting that you should use it as
> > input in a random number generator to generate cryptographic keys!)
> >
> >                               Tonnerre
> > --
> > SyGroup GmbH
> > Tonnerre Lombard
> >
> > Solutions Systematiques
> > Tel:+41 61 333 80 33          Güterstrasse 86
> > Fax:+41 61 383 14 67          4053 Basel
> > Web:www.sygroup.ch            tonnerre.lombard@...roup.ch
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ