Gregg C Levine wrote:
Hello from Gregg C Levine
Question, is anyone seeing activity on their Internet connected L/390
systems regarding the SSH port, and this NOUSER thing? All of sudden
I'm seeing anywhere from two to as many as four different attacks on
my system, Slackware 10.1 with all of the noted security fixed items
applied. Including a pair of them today. The last one seemed to be
originating from a public ISP in Korea, the one before from a school
in Taiwan.
I was originally told by a couple of experts about an SSH based Trojan
or worm running someplace inside the Internet, or something along
those lines. But this was nearly six months earlier. Could there still
be infected machines out there?
Just looking for advice, and opinions.
I see several hundreds per day on my (not L390) boxes. Short of closing
down sshd I don't see much can be done.
On one of my systems, I have
1. Turned off all password authentication
2. Written firewall rules to limit connexions to specific IP address
ranges that have me covered. This reduces the number of attempts
considerable.
One of our systems was penetrated by a sloppy user-chosen password, Snce
then, I have
1. Changed the firewall rules so that incoming SSH lands on my desktop
and not the server.
2. Changed the rules so _I_ choose passwords. _I_ use a password
generator which produces gems such as et3tUfGd (now defunct). There is
still mail to protect. For usewr-chosen passwords I suggest two (or
more) unrelated words such as cowblue. I figure those won't be in
peoples' attack dictionary.
Also, I use a VPN for most connexions. My choice is openvpn. I can
connct to anything I need to with ssh over the vpn, and you will have
some difficulty accessing my 192.168.1.10.
--
Cheers
John
-- spambait
[EMAIL PROTECTED] [EMAIL PROTECTED]
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
