[lug] Cracking attempts via SSH
Richard H. Fifarek
rfifarek at fifarek.net
Thu Aug 19 11:45:51 MDT 2004
On Thu, 19 Aug 2004, Bill Thoen wrote:
> The pattern was to try accessing an account named 'test', then 2 seconds
> later to try the account 'guest.' The originating IPs were from Korea
> and China (of course) Italy, Russia, and other european sources. Even
> one from the class B network I'm on.
I'm seeing these as well.
> So what's going on? Are script kiddies trying out something new that I
> should be concerned about? What bothers me is the three tries on 'root'.
> I think I've got a decent password, but I don't know much about cracking,
> so I don't know what they're capable of.
Some things that you can do to protect yourself:
- disable remote root logins via ssh, force admins to su
- increase the length of passwords (increases time it takes to
brute force crack it)
- use pam_tally to limit failed logins to X number of logins
before the account is locked (we use 5)
- firewall off connections from obvious IP ranges that users
wouldn't likely connect from (China, Korea, etc.)
- one-time passwords (expensive and painful but effective)
The 1st 3 are fairly easy to do, and not too painful, the last two
are potentially problematic.
--
Richard H. Fifarek
rfifarek at fifarek.net
More information about the LUG
mailing list