| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20080212163424.551E311803D@mailserver5.hushmail.com> Date: Tue, 12 Feb 2008 11:34:23 -0500 From: <dudevanwinkle@...h.ai> To: <full-disclosure@...ts.grok.org.uk>,<contactme@...lashpraveen.com> Subject: Re: Brute force attack - need your advice -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NP FULL-DISCLOSURE ALWAYS IS HAPPY TO SUPPORT AL QAEDA On Tue, 12 Feb 2008 03:51:02 -0500 Abilash Praveen <contactme@...lashpraveen.com> wrote: >Hello experts, > >Thank for all your rude, honest, polite, helpful replies. I'm >really glad I >posted here and most of your replies (if not all) are very useful >to me. >Sorry iam not able to reply individually to everyone and thank >you. I've >been using a couple of servers and it was very unusal for me to >get brute >force on the server in which my persona website is hosted. That is >the >reason i posted this question. > >Anyway, I shall keep the server tight. Thanks for the port scan >report you >have pasted and also the advice on keeping the SSH on a different >port. >Thanks again to everyone who has replied. > >Kind regards, >Abilash > > >On 2/12/08, Keith Kilroy <keith@...uritynow.us> wrote: >> >> Lock down your server so only needed ports are open, move ssh >above >> the norm scan range, setup SNORT and learn how to use it, harden >and >> update all progz. Check for web app holes.....buffer overflows >etc. >> >> The only box that is safe is the one unplugged hdd removed and >> destroyed and rest of system locked in a closet. >> >> I just came off a gig with a presidential candidate (a lot of >attacks >> are targeted at those guys), ever heard of DDOS and botnets. >move all >> default ports you can and have their services report different >than >> what is really there. >> >> Just perform your due diligence and watch and archive your logs. >> >> If you are detecting the brute force attacks then you can stop >them. >> >> Believe me if you've posted anywhere before your email is out >anyway. >> Just try to stay ahead of the curve. Harden, log, respond. Oh >yeah be >> sure to perform your backups, if someone besides a Script Kiddie >wants >> in they'll get in. The only way to get ISP's to cooperate >sometimes >> involve getting the FBI involved (very fun and time consuming) >but be >> ready for them to seize your servers until either you (if a >forensic >> specialist) or they create a sound image /w hashes of your >drives. but >> most can be traced to the source if it too bad, you'll just go >through >> hell and strict guidelines that must be followed if you get them >> involved. But if you try to hack back you'll be on the wrong >side of >> the bars. so tread lightly. better off securing your stuff and >> monitoring with dynamic blocking that times out after a period >of >> time. Rank the attacker when it hits a 5 blockem for 30 min then >if it >> reoccurs and they achieve a high score then auto block em again >> longer. the scripts are not that hard to write. Heck you can >even >> google and download some to get you started. chances are if you >are >> not real easy to exploit they'll move on to the next box. >> >> Most here would rather report the vulnerabilities so you can fix >em. >> >> my 2cents take it for what it's worth. >> >> On Feb 12, 2008, at 2:41 AM, Tonnerre Lombard wrote: >> >> > Salut, Abilash, >> > >> > On Tue, 12 Feb 2008 02:16:02 +0530, Abilash Praveen wrote: >> >> I had been talking to our web hosts the other day and they >seem to >> >> have a lot of unusual brute force attack on the servers >recently. I'm >> >> guessing that it could be because of my emails to the list? I >mean, >> >> do you advice on using a personal email for this type of >list? Or >> >> should I use something like @ gmail.com? I know they can't >easily >> >> break in to our servers, but am I just giving them a chance? >> > >> > I don't really think that this is closely related to the use >of your >> > mail address. Outside in the real nature, there is >rain/snow/whatever, >> > which occurs from time to time in some type of natural cycle, >and you >> > can't help it. >> > >> > The same goes for SPAM and worms/virii/other automated >attacks. >> > They'll >> > always be there, like the rain and the show. What you should >do is put >> > on a rain coat: make sure your systems are up to date and >looking >> > regularly for holes in the coat. Keep the SPAM and worms off >yourself, >> > and whatever flies through your network is just random noise. >> > >> > (But please don't deduce from this posting that you should use >it as >> > input in a random number generator to generate cryptographic >keys!) >> > >> > Tonnerre >> > -- >> > SyGroup GmbH >> > Tonnerre Lombard >> > >> > Solutions Systematiques >> > Tel:+41 61 333 80 33 Güterstrasse 86 >> > Fax:+41 61 383 14 67 4053 Basel >> > Web:www.sygroup.ch tonnerre.lombard@...roup.ch >> > _______________________________________________ >> > Full-Disclosure - We believe in it. >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> > Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Charset: UTF8 Version: Hush 2.5 wpwEAQECAAYFAkexyisACgkQ+cOIFG8Ql/6QNAP/RpoHcmhVBULCKwq75G1HVY0TnrxU 4lcN7JpHINrM0NNKN07JHZ4xgjLLJfwrTZ+O07509lkNM/RQll38HA0r+BREzna8FFzy S9MCDUnS1QuE92FDOUa9TfwpzStaGoTBcb2bajPgGxV59RTtGw6v0jnz9etcEDFJlf3X FA35OHQ= =0Q7Z -----END PGP SIGNATURE----- -- Discount Online Trading - Click Now! http://tagline.hushmail.com/fc/Ioyw6h4dPYx1KXwtz4Z4abkdjew1xIEcWnwgsSY3SfD76NTooqNaoI/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists