[SlugLUG] War Stories

Rohan Sheth rohan at rohan.ws
Sun Jun 11 19:34:48 PDT 2006 

Off the top of my head, I know how to do it with iptables:

iptables -I INPUT -s 123.123.123.123 -j DROP**

**--Rohan


Erich Blume wrote:
> Oh, agreed. I did that ages ago. He guessed about 500 user names - without a
> doubt it would take him centuries and centuries to guess a correct
> password/username combo. But if I could set it to do that IP blocking thing,
> that'd at least make me feel a bit more secure.
>
> -Erich
>
> On 6/11/06 7:04 PM, "Rohan Sheth" <rohan at rohan.ws> wrote:
>
>   
>> The best way of locking out would-be crackers/hackers that I have used
>> is simply denying root login in /etc/ssh/sshd_config.  Most people can
>> try to bruteforce my machines, but they would need to first know my
>> login name and then my password.  If root login was enabled through ssh,
>> they would simply have to brute the password.
>>
>> --Rohan
>>
>> Erich Blume wrote:
>>     
>>> So, I had a -lot- of fun earlier today reading through my logfiles. It turns
>>> out yesterday I was the subject of a massive brute-force attempt to break in
>>> to my system. I took some appropriate steps and confirmed that the machines
>>> that were doing the probing were part of a zombie-net.
>>>
>>> My security did admirably in all respects except a few, and so now I come to
>>> you all and ask for help in fixing them.
>>>
>>> Firstly, how can I set up sshd to shut out an IP temporarily after say, six
>>> failed logins? Currently the only limiting factor is the three or four
>>> second delay between password prompts and the pam rejection after three
>>> tries. A five-minute shutout period would, at the vary least, deter a
>>> brute-force attempt.
>>>
>>> Secondly, how can I set up my logger (metalog) to email me (at
>>> eblume at ucsc.edu) when a lot of this bad stuff starts happening?
>>>
>>> Thirdly, any other suggestions?
>>>
>>> I was serious about having fun, though. It's very vindicating for your
>>> firewall, etc. to work properly.
>>>
>>> On this note, though: I've noticed something that seemed liked a very good
>>> idea. This might be really obvious and common practice, but I figured it out
>>> on my own, and I'd like to put this to you RFC. See, I set my system
>>> password to something like a twenty-digit random sequence. I don't remember
>>> it, the idea is that it's a scrambled password. I have sudo set up to let
>>> people in wheel have root access, though. Is this a bad idea? Am I in
>>> trouble, doing that?
>>>
>>> Thanks,
>>> Erich 
>>>
>>>
>>> _______________________________________________
>>> Sluglug mailing list
>>> Sluglug at sluglug.ucsc.edu
>>> http://sluglug.ucsc.edu/cgi-bin/mailman/listinfo/sluglug
>>>
>>>
>>>   
>>>       
>> _______________________________________________
>> Sluglug mailing list
>> Sluglug at sluglug.ucsc.edu
>> http://sluglug.ucsc.edu/cgi-bin/mailman/listinfo/sluglug
>>     
>
>
> _______________________________________________
> Sluglug mailing list
> Sluglug at sluglug.ucsc.edu
> http://sluglug.ucsc.edu/cgi-bin/mailman/listinfo/sluglug
>
>
>   


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : http://sluglug.ucsc.edu/pipermail/sluglug/attachments/20060611/376c69e9/signature.pgp

More information about the Sluglug mailing list