[SlugLUG] War Stories
Erich Blume
eblume at ucsc.edu
Sun Jun 11 18:54:50 PDT 2006
So, I had a -lot- of fun earlier today reading through my logfiles. It turns
out yesterday I was the subject of a massive brute-force attempt to break in
to my system. I took some appropriate steps and confirmed that the machines
that were doing the probing were part of a zombie-net.
My security did admirably in all respects except a few, and so now I come to
you all and ask for help in fixing them.
Firstly, how can I set up sshd to shut out an IP temporarily after say, six
failed logins? Currently the only limiting factor is the three or four
second delay between password prompts and the pam rejection after three
tries. A five-minute shutout period would, at the vary least, deter a
brute-force attempt.
Secondly, how can I set up my logger (metalog) to email me (at
eblume at ucsc.edu) when a lot of this bad stuff starts happening?
Thirdly, any other suggestions?
I was serious about having fun, though. It's very vindicating for your
firewall, etc. to work properly.
On this note, though: I've noticed something that seemed liked a very good
idea. This might be really obvious and common practice, but I figured it out
on my own, and I'd like to put this to you RFC. See, I set my system
password to something like a twenty-digit random sequence. I don't remember
it, the idea is that it's a scrambled password. I have sudo set up to let
people in wheel have root access, though. Is this a bad idea? Am I in
trouble, doing that?
Thanks,
Erich
More information about the Sluglug
mailing list