Date: Thu, 28 Oct 2004 20:36:39 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Steve Suhre <steve@Antero.com> Cc: freebsd-questions@freebsd.org Subject: Re: Hacker activity? Message-ID: <20041028193639.GA46862@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <6.0.3.0.2.20041028124740.03d9f700@nano.net> References: <6.0.3.0.2.20041028102537.04be6ec0@nano.net> <20041028133250.77c30503@vixen42.24-119-122-191.cpe.cableone.net> <6.0.3.0.2.20041028124740.03d9f700@nano.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--wac7ysb48OaltWcw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Oct 28, 2004 at 01:13:14PM -0600, Steve Suhre wrote:
> Thanks. Right now I'm blocking 66.249.6*.* on the secure server for the c=
gi=20
> script and haven't seen anything for a couple hours. The other intruder i=
s=20
> a little slicker and moves around quite a bit. My interest is in the=20
> frequency, or lack thereof. Do they attack many sites at once, like spam,=
=20
> hoping to hit on a server that has a dictionary password? Rather than pou=
nd=20
> one server with all they've got? Distributed hacking? I can't think of=20
> another reason why someone would even try to hack into a server by loggin=
g=20
> in 50-100 times once or twice a week. You can't get root through anything=
=20
> but the console and 50-100 attempts don't cover a lot of password ground =
on=20
> the other accounts, most of which are locked down against shell access=20
> anyway.... I'm not really concerned about the activity, it would take eon=
s=20
> to hack into anything this way. I'm wondering if there's something going =
on=20
> that I don't know, maybe this is a smoke screen to divert attention from=
=20
> the real threat? It doesn't make a lot of sense....
It's an automated attack -- just a script run by some kiddie that
searches the IP address space to find and break into Linux servers.
It finds systems that respond on port 22 and then tries to guess a
number of account/password combinations. I believe the vast majority
of scans originate from the far east, as do the vast majority of
compromised boxes -- something to do with a Linux distro popular out
there that had a bunch of unsecured accounts in its default install.
It's neither efficient nor cleverly implemented.
If you've got good passwords in place for all your user accounts , or
you require people to use key based auth to log in, or you move the
port sshd listens on, then the scans won't be able to hurt you.
Switching to exclusive use of key based auth is what I'd choose --
once you've got the keys set up then it's not at all intrusive. Plus
you can use the ssh-agent(1) to hold your keys in memory, which means
you don't have to keep reentering the pass phrase each time you ssh
into a new machine, even several hops away.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
--wac7ysb48OaltWcw
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)
iD8DBQFBgUpHiD657aJF7eIRAnFVAJ46SxCO5cC9PfKlwLeVy6jMgEZJpQCgixP1
xNYccmFBkzvH4gUDvi3sLlo=
=gTzf
-----END PGP SIGNATURE-----
--wac7ysb48OaltWcw--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041028193639.GA46862>