[nSLUG] Re: my system was cracked!

Luke Hickson lhickson at gmail.com
Sun Jun 4 10:03:27 ADT 2006


One thing I do is routinly check for failed attempts manually from
unknown ip addresses. Then block the whole range.

an example I have in my setup:

iptables -I banned 2 -s 61.0.0.0/24 -j REJECT
iptables -I banned 3 -s 62.0.0.0/24 -j REJECT
iptables -I banned 4 -s 63.0.0.0/24 -j REJECT
iptables -I banned 5 -s 64.0.0.0/24 -j REJECT
iptables -I banned 6 -s 66.0.0.0/24 -j REJECT
iptables -I banned 7 -s 67.0.0.0/24 -j REJECT
iptables -I banned 8 -s 68.0.0.0/24 -j REJECT
iptables -I banned 9 -s 69.0.0.0/24 -j REJECT

Also I reject/drop any requests from certian geographical areas. Quick
google search should help list some ip ranges.

Something else I reccommend checking on is an article entitled
"Defending against SSH brute force attacks" which can be found at
www.fduran.com/wordpress/?p21

Your mileage may vary but I hope this helps.

Cheers, Luke


On 6/3/06, ricardd at mathstat.dal.ca <ricardd at mathstat.dal.ca> wrote:
> Hello,
> Someone remotely cracked into my system on Thursday afternoon when I was
> at the CEOS conference and my laptop was running in my office at
> Dalhousie. Another machine running Ubuntu was cracked into last week as
> well.
>
> This is a first for me and it now makes me feel vulnerable. A few pros
> looked at my machine at the InstallFest yesterday and had various
> explanations for what happened.
>
> I discovered that something was wrong when I tried to login as user
> postgres and the password wasn't accepted. I then reset the password for
> postgres and logged in as user postgres. The history of command included
> things that I didn't type and were malicious (dowload an admin kit, etc).
> After that, I could not log in as root anymore, the "sudo" command must've
> be corrupted. We rebooted from a CD and noticed that the entries for sudo
> in /etc/passwd and /etc/shadows were indeed corrupted. The root password
> was reset by editing the files in a text editor and rebooting. The dudes
> also suggested a re-install of my whole system.
>
> So, short of hiring a sysadmin, what should I do to protect myself against
> this? I'd like to get a "checklist" of things that I should watch for
> after I reinstall. For example:
>
> - run a firewall
> - change the ssh listening port to something other than 22
> - use strong passwords for everything (the postgres password was weak)
> - ...
>
> Suggestions, comments? And, yes, I will get a "Security for Linux" book
> and read it.
> Cheers,
>
> Dan (running my own InstallFest this weekend)
>
>
>
>
>
> _______________________________________________
> nSLUG mailing list
> nSLUG at nslug.ns.ca
> http://nslug.ns.ca/cgi-bin/mailman/listinfo/nslug
>
> 
>
>

!DSPAM:4482dba1211554708312781!




More information about the nSLUG mailing list