[Gllug] Router under attack: help/advice needed

[Andrew Farnsworth]

On Wed Sep 30 12:56 , David Damerell <damerell at chiark.greenend.org.uk> sent:

>On Wednesday, 30 Sep 2009, Andrew Farnsworth wrote:
>>My server receives SSH login attempts on a regular basis.  These are
>>dictionary attacks against various usernames and have not succeeded
>>in gaining access to my system.
>
>This has been going on for ages now - months if not years. Pretty much
>any world-accessible ssh daemon will be being prodded. If you don't
>want to go down the route of port knocking or running sshd on a
>non-standard port, I'd consider something that filters hosts with
>repeated login failures - "denyhosts" is good (in particular, the
>current attack pattern is that instead of one machine hammering on you
>repeatedly, which anything like SWATCH can easily pick up, the attacks
>are distributed, so machine A tries you once, goes off and tries a
>bunch of others, comes back half an hour later, meantime machines
>B...ZZZ are trying you - so the blocking tool has to have a long
>memory); not permitting direct root login; not having usernames which
>are forenames alone (the bad guys will try "joe" but probably not
>"jbloggs"); run your own cracking tool on users' passwords.

I do actually run denyhosts and it is very good.  I still get reports on these
attacks and they show up in my logs which is how I generate a personal report
which I then send off to the ISP in question... yes it takes a bit of personal
time, but I feel it is time not wasted...  Luckily, I am the only user on the
system. 

Andy
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug