lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 3 Oct 2011 05:47:26 -0400 (EDT)
From:	gmack@...erfire.net
To:	Steven Rostedt <rostedt@...dmis.org>
cc:	David Miller <davem@...emloft.net>, w@....eu, greg@...ah.com,
	linux-kernel@...r.kernel.org
Subject: Re: kernel.org status: hints on how to check your machine for
 intrusion

> Date: Sat, 01 Oct 2011 14:45:38 -0400
> From: Steven Rostedt <rostedt@...dmis.org>
> To: David Miller <davem@...emloft.net>
> Cc: w@....eu, greg@...ah.com, linux-kernel@...r.kernel.org
> Subject: Re: kernel.org status: hints on how to check your machine for
>     intrusion
> 
> On Sat, 2011-10-01 at 14:40 -0400, Steven Rostedt wrote:
> > OK, I decided to attach the perl script anyway. It is very crude, and
> > really needs to be cleaned up for generic use.
> > 
> 
> I've just been pointed to:
> 
> http://www.fail2ban.org/wiki/index.php/Main_Page
> 
> This looks like something similar.
> 
> You see, the reason I posted this tool is because I was sure people will
> point me to better ones that do the same thing (and more!)   ;)
> 

The nice thing about fail2ban is that you can use it to montitor other 
ports since many bots are now doing ftp/smtp sasl/imap/imaps/pop3/pop3s 
scans to find system accounts and then use the result for an ssh login.

As a warning though, at least on debian the SMTP SASL regex is non 
functional and I haven't had time to work out a working one so hopefully 
if someone has one it would be helpful. A fix for this is doubly important 
since the SASL package has a memory leak on failed login that they have 
known about for at least 3 years but haven't bothered fixing.  A scanning 
bot can take up several gigs of memory in about an hour.

	Gerhard


--
Gerhard Mack

gmack@...erfire.net

<>< As a computer, I find your faith in technology amusing.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ