From owner-freebsd-questions@FreeBSD.ORG Sat Apr 14 18:47:02 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F280E16A404 for ; Sat, 14 Apr 2007 18:47:02 +0000 (UTC) (envelope-from pauls@utdallas.edu) Received: from mail.stovebolt.com (mail.stovebolt.com [66.221.101.249]) by mx1.freebsd.org (Postfix) with ESMTP id B7BD013C458 for ; Sat, 14 Apr 2007 18:47:02 +0000 (UTC) (envelope-from pauls@utdallas.edu) Received: from [192.168.2.102] (adsl-66-137-149-124.dsl.rcsntx.swbell.net [66.137.149.124]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.stovebolt.com (Postfix) with ESMTP id A369E114326 for ; Sat, 14 Apr 2007 13:48:14 -0500 (CDT) Date: Sat, 14 Apr 2007 13:46:55 -0500 From: Paul Schmehl To: freebsd-questions@freebsd.org Message-ID: <02A26E5CAA6B8BC3F91D1F1C@paul-schmehls-powerbook59.local> In-Reply-To: <80f4f2b20704140425w2631ee3co5547b772f6c972e8@mail.gmail.com> References: <80f4f2b20704140425w2631ee3co5547b772f6c972e8@mail.gmail.com> X-Mailer: Mulberry/4.0.8 (Mac OS X) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=sha1; protocol="application/pkcs7-signature"; boundary="==========4B4B762E272F24D573AF==========" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Given this evidence, should I be worried that I may have been hacked X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Apr 2007 18:47:03 -0000 --==========4B4B762E272F24D573AF========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline --On April 14, 2007 7:25:46 AM -0400 Jim Stapleton=20 wrote: > Once I opened up SSH to the outside world, my machine has been > hammered once or twice a day most days, with username failures. None > of the usernames would fit a username on my system (except root), and > I have ssh set to deny root logins, and only use SSH2. Additionally, I > have the following in my login.access (only active entry, the name > have been changed on this, but the three names would appear as 3 and > four character random alphabetical strings): > -:ALL EXCEPT wrbc crr aqp:ALL EXCEPT local > > As of the 9th, I've only seen one set of blatant/brute-force attempt > at my ssh server. It's interesting, but the major drop in attempts has > me more worried than the attempts (could this drop off be because they > no longer need to hack me? Could they have hacked me an that be the > reason why?) > > How worried should I be, and what's the best recourse for this? > I have a *lot* of experience with hacked boxes. They all share at least=20 one of three things in common: 1) Not patched up to date 2) Incorrectly (or not at all) configured 3) Weak or default passwords Those three things are the cause of almost every breakin I've seen. The=20 first is by far the greatest reason for breakins. The second and third=20 are less frequently but still often the case. It is not at all uncommon=20 to find a box running unpatched and unconfigured services that its owner=20 had no idea were running. If you have any of the above conditions, then you have something to be=20 concerned about. If you don't, then the reduction in attacks is most=20 likely pure coincidence. If you don't want your computer broken into: 1) Keep it patched and up to date at *all* times. Eternal vigilance is=20 the watchword. 2) Disable *and* remove all services you do not intend to run. Don't=20 install a program if you aren't going to be using it. 3) If you want to play around with something, configure it to respond to=20 localhost *only* or restrict access to known IP addresses. 4) *Always* change default passwords and *never* use weak passwords. A=20 weak password is defined as a password that does not use special=20 characters. Period. Alphanumeric passwords can resist brute force=20 attacks for approximately one week using modern computers. Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --==========4B4B762E272F24D573AF==========--