boot force attack help

Doran L. Barton fozz at iodynamics.com
Mon Jul 25 16:29:36 MDT 2005


Michael Torrie wrote:

> I find this a little odd, though, since I haven't had a compromised
> Fedora Core machine ever, as long as I just did yum updates (as it
> sounds like you did).  

These types of SSH attacks stem from using weak passwords. The worst, of 
course, is when you allow root login via SSH and have a weak root password.

To prevent this from happening on a Fedora Core system, I always edit 
the /etc/ssh/sshd_config file after installation and turn 
PermitRootLogin to "no."

Then, set up iptables to only allow ssh access from trusted hosts or 
configure sshd to only allow logins with keys and not passphrases.

If you must allow ssh logins from any source IP, consider a program like 
denyhosts.py[1] that will parse your log files every X minutes (as 
dictated by your crontab entry) to determine which IPs are trying to 
"boot force" their way into your system and sets up the appropriate 
/etc/hosts.deny entries.

-=Fozz

[1] < http://denyhosts.sf.net/ >

-- 
fozz at iodynamics.com is Doran L. Barton, president, Iodynamics LLC
Iodynamics: Linux solutions - Web development - Business connectivity
  "It's the true realization of my aspiration. I hope to play along with the
   heartiest gadgetry manifesting my sensibility."
     -- Seen on a Sanyo appliance box



More information about the PLUG mailing list