Date: Sat, 14 Apr 2007 13:46:55 -0500 From: Paul Schmehl <pauls@utdallas.edu> To: freebsd-questions@freebsd.org Subject: Re: Given this evidence, should I be worried that I may have been hacked Message-ID: <02A26E5CAA6B8BC3F91D1F1C@paul-schmehls-powerbook59.local> In-Reply-To: <80f4f2b20704140425w2631ee3co5547b772f6c972e8@mail.gmail.com> References: <80f4f2b20704140425w2631ee3co5547b772f6c972e8@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--==========4B4B762E272F24D573AF========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline --On April 14, 2007 7:25:46 AM -0400 Jim Stapleton=20 <stapleton.41@gmail.com> wrote: > Once I opened up SSH to the outside world, my machine has been > hammered once or twice a day most days, with username failures. None > of the usernames would fit a username on my system (except root), and > I have ssh set to deny root logins, and only use SSH2. Additionally, I > have the following in my login.access (only active entry, the name > have been changed on this, but the three names would appear as 3 and > four character random alphabetical strings): > -:ALL EXCEPT wrbc crr aqp:ALL EXCEPT local > > As of the 9th, I've only seen one set of blatant/brute-force attempt > at my ssh server. It's interesting, but the major drop in attempts has > me more worried than the attempts (could this drop off be because they > no longer need to hack me? Could they have hacked me an that be the > reason why?) > > How worried should I be, and what's the best recourse for this? > I have a *lot* of experience with hacked boxes. They all share at least=20 one of three things in common: 1) Not patched up to date 2) Incorrectly (or not at all) configured 3) Weak or default passwords Those three things are the cause of almost every breakin I've seen. The=20 first is by far the greatest reason for breakins. The second and third=20 are less frequently but still often the case. It is not at all uncommon=20 to find a box running unpatched and unconfigured services that its owner=20 had no idea were running. If you have any of the above conditions, then you have something to be=20 concerned about. If you don't, then the reduction in attacks is most=20 likely pure coincidence. If you don't want your computer broken into: 1) Keep it patched and up to date at *all* times. Eternal vigilance is=20 the watchword. 2) Disable *and* remove all services you do not intend to run. Don't=20 install a program if you aren't going to be using it. 3) If you want to play around with something, configure it to respond to=20 localhost *only* or restrict access to known IP addresses. 4) *Always* change default passwords and *never* use weak passwords. A=20 weak password is defined as a password that does not use special=20 characters. Period. Alphanumeric passwords can resist brute force=20 attacks for approximately one week using modern computers. Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --==========4B4B762E272F24D573AF==========--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?02A26E5CAA6B8BC3F91D1F1C>