[PLUG] iptables firewalling...
Jon Scully
jonscully at gmail.com
Tue Sep 5 18:07:32 UTC 2006
On 9/5/06, Carlos Konstanski <ckonstanski at pippiandcarlos.com> wrote:
> Another thought on ports and security. here's something I need to do,
> right this minute. I have port 22 open, but I accept password
> authentication for SSH. I need to take away password auth immediately,
> and require authorized keys instead. You should see the syslog entries
> - thousands of attempts to guess usernames and passwords. Of all the
> logs I see, this one worries me the most.
>
> Carlos Konstanski
Using keys will add extra security, but it won't stop the log files
from filling up. Lately it seems a whole dictionary is being used for
these attacks (it used to be just a dozen words at a time: root,
admin, apache, john, etc.). I guess using a whole dictionary has been
more successful for these guys.
At least it seemed to work for one client's server. He created a user
account using a common name and used the same name as the password.
There were about 3GB of outgoing e-mail choked up in the spool, by the
time I got there (SMTP port was blocked). Apparently when these
attempts are successful, the attacking script just pushes another
generic mailer script out and kicks it off blind. (Was a simple Perl
script.)
But back to the log files... The only way to stop these attacks from
filling up your log files is to block port 22. You can do this and
open up the port for just a few specific IP addresses. Or you can
close it for all IP addresses and dynamically open it up for specific
ones using port knocking.
Some would say port knocking isn't a worthy security measure. Perhaps
so. However, having clean log files is still a wonderful thing. ;-)
Here's a shameless plug for a port-knocking technique you can use
anywhere iptables is available: http://www.soloport.com/iptables.html
More information about the PLUG
mailing list