Matthew Palmer wrote:
Had a similiar thing happen to one of my firewalls last week - however the attacker was not able to gain any foothold from the account with a weak password as the kernel didn't let him.Put up at http://www.hezmatt.org/~mpalmer/talks/2004/security-slug/, please be gentle with my ADSL link.
- Matt
Basically, a really really poor choice of password from a user, guy gets in, keeps trying like 5 different root kits and then gets found out. User gets arse kicked, machine gets checked over thoroughly, everyone is happy.
I have found grsec to be extremely valuable in this sort of instance, along with keeping your kernel up to date - most of the root kits exploit some sort of kernel vulnerability, grsec prevents many other things from becoming a problem as well.
I have kept an eye on the box in question closely - there have been a few more attempts at logging in but none succesful.
The other useful thing that might help people is that most sshds on linux have tcpwrappers compilied in, so if you don't want to block things useing iptables you can block everything in hosts.deny and allow whole subnets in hosts.allow.
dave -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
