Re: [SLUG] Chinese intruder yesterday

On Fri, Aug 14, 2009 at 11:32:55AM +1000, Jake Anderson (ya...@vapourforge.com) wrote: > On 14/08/09 06:02, Jim Donovan wrote: snipping lots of stuff that is unrelated to a particular speaking group of people > > Bastards. > > This is why I hate the French. > they make some darn good pastri

Re: [SLUG] Chinese intruder yesterday

On Fri, Aug 14, 2009 at 07:05:15AM +1000, Erik de Castro Lopo wrote: > Jim Donovan wrote: > > > I had port 22 open for a few hours yesterday but closed it when I > > noticed the following. > > An open port 22 can be made safe. There are numerous articles available > on the net like the following:

Re: [SLUG] Chinese intruder yesterday

On 14/08/09 21:28, Rick Welykochy wrote: Dare I ask why the distro should drop the first user's account in sshin? Headless installs. -- Glen Turner -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org

Re: [SLUG] Chinese intruder yesterday

Glen Turner wrote: I really wish distributors would add a "sshin" group by default, drop the first user's account in it, and let the sysadmin add any further users that might need remote access. Dare I ask why the distro should drop the first user's account in sshin? cheers rickw -- __

Re: [SLUG] Chinese intruder yesterday

On 14/08/09 05:32, Jim Donovan wrote: He was evidently working from a list I really wish distributors would add a "sshin" group by default, drop the first user's account in it, and let the sysadmin add any further users that might need remote access. -- Glen Turner

Re: [SLUG] Chinese intruder yesterday

Robert Collins wrote: Also, passwordauthentication no in sshd_config is a very useful step ;) -Rob I've been using fail2ban for a while and hand rolled a script that runs every fifteen minutes that: a) grabs all the ip addresses from the fail2ban log b) adds them to /etc/hosts.deny c) c

Re: [SLUG] Chinese intruder yesterday

Morgan Storey writes: > I am a big fan of the denyhosts package, it can warn you via email or sms > gateway and lock IP's out on x number of failed attempts. I am not sure I care that much about knowing every time a robot gets banned. ;) Anyway, I found the distributed nature of denyhosts a muc

Re: [SLUG] Chinese intruder yesterday

On 14/08/09 06:02, Jim Donovan wrote: I had port 22 open for a few hours yesterday but closed it when I noticed the following. He was evidently working from a list; most intruders seem content to try a few password guesses for root/guest/mysql etc. Many of his usernames seem pretty unlikely. P

Re: [SLUG] Chinese intruder yesterday

I am a big fan of the denyhosts package, it can warn you via email or sms gateway and lock IP's out on x number of failed attempts. There is also port knocking that I have found useful for remote support, but it is too difficult for end users I think. On Fri, Aug 14, 2009 at 7:18 AM, Robert Colli

Re: [SLUG] Chinese intruder yesterday

Also, passwordauthentication no in sshd_config is a very useful step ;) -Rob signature.asc Description: This is a digitally signed message part -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Chinese intruder yesterday

Jim Donovan wrote: > I had port 22 open for a few hours yesterday but closed it when I > noticed the following. An open port 22 can be made safe. There are numerous articles available on the net like the following: http://www.linuxjournal.com/article/8759 http://www.debian-administration

[SLUG] Chinese intruder yesterday

I had port 22 open for a few hours yesterday but closed it when I noticed the following. He was evidently working from a list; most intruders seem content to try a few password guesses for root/guest/mysql etc. Many of his usernames seem pretty unlikely. Perhaps I should set up a honeypot accoun