BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Attack from a reserved address

Subject: Attack from a reserved address
From: rajiv at alum.mit.edu (Rajiv Aaron Manglani)
Date: Thu, 31 Aug 2006 13:46:40 -0400 (EDT)
In-reply-to: <19DCF5C0086A7940826578D1022517D70468ED@cypher.ad.buydomains.com>
References: <19DCF5C0086A7940826578D1022517D70468ED@cypher.ad.buydomains.com>

take a look at http://www.pettingers.org/code/sshblack.html which blocks 
ip addresses via iptables (denyhosts depends on sshd with tcp wrappers 
support). if a machine is attempting to hack in via ssh, you probably do 
not want any ip packats from it.


On Thu, 31 Aug 2006, Matt Shields wrote:

> Instead of changing the port which ssh runs on, try
> http://denyhosts.sf.net  It watches your secure.log file for these
> attacks and blocks them
>
> Matthew Shields
> Sr Systems Administrator
> NameMedia, Inc.
> (P) 781-839-2828
> mshields at namemedia.com
> http://www.namemedia.com
>
>
> -----Original Message-----
> From: discuss-bounces at blu.org [mailto:discuss-bounces at blu.org] On Behalf
> Of Larry Underhill
> Sent: Thursday, August 31, 2006 12:41 PM
> To: Bill Horne
> Cc: discuss at blu.org
> Subject: Re: Attack from a reserved address
>
> On Wed, 2006-08-30 at 18:54 -0400, Bill Horne wrote:
>
>> P.S. I've closed the port, but anyone who wants to test it, just drop
>> me an email with your IP address.
>
> Bill,
>
> Dictionary attacks against sshd are really common these days. Have you
> considered running sshd on a high numbered port? This simple step
> eliminated these kiddie attacks against my home box. (obviously, this
> doesn't prevent the more sophisticated attackers)
>
> slightly OT: what are the general practices folks that folks take to
> secure the "public" services on their home boxen? I have ssh and http
> available.
>
> My general take is:
>
> * firewall with ssh (on a high num port) and http open. All others are
> denied.
> * linux distro w/ current updates
> * sshd w/ key only access and no remote root login.
> * apache w/ ServerToken and ServerSignature set so I don't broadcast
> much info about my apache or platform version.
> * apache defaults to serving a blank html page. Nothing in cgi-bin. All
> the sites are served by virtual hosts. Folks port scanning port 80 get
> nothing. Folks who actually know the domains get served pages.
>
> I also rotate passwords for root and my (one) user account. Any other
> tips/tricks?
>
> --Larry
>


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

References:
- Attack from a reserved address
  - From: mshields at namemedia.com (Matt Shields)

Prev by Date: Attack from a reserved address
Next by Date: Free online Security Engineering book
Previous by thread: Attack from a reserved address
Next by thread: Mesh nodes
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org