[nSLUG] Re: my system was cracked!
lhickson at gmail.com
Sun Jun 4 10:03:27 ADT 2006
One thing I do is routinly check for failed attempts manually from
unknown ip addresses. Then block the whole range.
an example I have in my setup:
iptables -I banned 2 -s 22.214.171.124/24 -j REJECT
iptables -I banned 3 -s 126.96.36.199/24 -j REJECT
iptables -I banned 4 -s 188.8.131.52/24 -j REJECT
iptables -I banned 5 -s 184.108.40.206/24 -j REJECT
iptables -I banned 6 -s 220.127.116.11/24 -j REJECT
iptables -I banned 7 -s 18.104.22.168/24 -j REJECT
iptables -I banned 8 -s 22.214.171.124/24 -j REJECT
iptables -I banned 9 -s 126.96.36.199/24 -j REJECT
Also I reject/drop any requests from certian geographical areas. Quick
google search should help list some ip ranges.
Something else I reccommend checking on is an article entitled
"Defending against SSH brute force attacks" which can be found at
Your mileage may vary but I hope this helps.
On 6/3/06, ricardd at mathstat.dal.ca <ricardd at mathstat.dal.ca> wrote:
> Someone remotely cracked into my system on Thursday afternoon when I was
> at the CEOS conference and my laptop was running in my office at
> Dalhousie. Another machine running Ubuntu was cracked into last week as
> This is a first for me and it now makes me feel vulnerable. A few pros
> looked at my machine at the InstallFest yesterday and had various
> explanations for what happened.
> I discovered that something was wrong when I tried to login as user
> postgres and the password wasn't accepted. I then reset the password for
> postgres and logged in as user postgres. The history of command included
> things that I didn't type and were malicious (dowload an admin kit, etc).
> After that, I could not log in as root anymore, the "sudo" command must've
> be corrupted. We rebooted from a CD and noticed that the entries for sudo
> in /etc/passwd and /etc/shadows were indeed corrupted. The root password
> was reset by editing the files in a text editor and rebooting. The dudes
> also suggested a re-install of my whole system.
> So, short of hiring a sysadmin, what should I do to protect myself against
> this? I'd like to get a "checklist" of things that I should watch for
> after I reinstall. For example:
> - run a firewall
> - change the ssh listening port to something other than 22
> - use strong passwords for everything (the postgres password was weak)
> - ...
> Suggestions, comments? And, yes, I will get a "Security for Linux" book
> and read it.
> Dan (running my own InstallFest this weekend)
> nSLUG mailing list
> nSLUG at nslug.ns.ca
More information about the nSLUG