lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.DEB.2.00.1110030548020.7763@mtl.rackplans.net>
Date:	Mon, 3 Oct 2011 05:49:52 -0400 (EDT)
From:	gmack@...erfire.net
To:	"Frank A. Kingswood" <frank@...gswood-consulting.co.uk>
cc:	Steven Rostedt <rostedt@...dmis.org>, Willy Tarreau <w@....eu>,
	Greg KH <greg@...ah.com>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: kernel.org status: hints on how to check your machine for
 intrusion

On Sat, 1 Oct 2011, Frank A. Kingswood wrote:
> On 01/10/11 19:06, Steven Rostedt wrote:
> > On Sat, Oct 01, 2011 at 09:35:33AM +0200, Willy Tarreau wrote:
> > > 
> > For my machine that is connected to the outside world, I have a script
> > that runs every night that checks for attacks. As bots constantly look
> > for port 22 and 80, they find my machine without issue. When my script
> > detects a bunch of ssh login attempts that fail, it will add that ip
> > address to the iptables DROP chain:
> > 
> > # iptables -L -n | grep DROP | wc -l
> > 2656
> > 
> > I've picked up quite a few ;)
> > 
> > This script only runs and scans once at night. Probably better to have
> > it run more often.
> 
> Limiting SSH accesses to a few a minute (failed or not) is useful to block
> many password guess attacks. I set up mine a long time ago following this
> article using "recent" matches in iptables:
> 
> http://www.debian-administration.org/articles/187
> 
> You'll want to set the same rules for ipv6.
> 
> This won't stop low frequency and distributed attacks, and sometimes but
> extremely rarely I find myself connecting more quickly than the rate limit.

Too easy to hit the rate limit if you work in an office full of people who 
use scp for file uploads.

	Gerhard


--
Gerhard Mack

gmack@...erfire.net

<>< As a computer, I find your faith in technology amusing.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ