Re: Brute force attack - need your advice

[Keith Kilroy <keith () securitynow us>]

Lock down your server so only needed ports are open, move ssh above  
the norm scan range, setup SNORT and learn how to use it, harden and  
update all progz. Check for web app holes.....buffer overflows etc.

The only box that is safe is the one unplugged hdd removed and  
destroyed and rest of system locked in a closet.

I just came off a gig with a presidential candidate (a lot of attacks  
are targeted at those guys), ever heard of DDOS and botnets. move all  
default ports you can and have their services report different than  
what is really there.

Just perform your due diligence and watch and archive your logs.

If you are detecting the brute force attacks then you can stop them.

Believe me if you've posted anywhere before your email is out anyway.  
Just try to stay ahead of the curve. Harden, log, respond. Oh yeah be  
sure to perform your backups, if someone besides a Script Kiddie wants  
in they'll get in. The only way to get ISP's to cooperate sometimes  
involve getting the FBI involved (very fun and time consuming) but be  
ready for them to seize your servers until either you (if a forensic  
specialist) or they create a sound image /w hashes of your drives. but  
most can be traced to the source if it too bad, you'll just go through  
hell and strict guidelines that must be followed if you get them  
involved. But if you try to hack back you'll be on the wrong side of  
the bars. so tread lightly. better off securing your stuff and  
monitoring with dynamic blocking that times out after a period of  
time. Rank the attacker when it hits a 5 blockem for 30 min then if it  
reoccurs and they achieve a high score then auto block em again  
longer. the scripts are not that hard to write. Heck you can even  
google and download some to get you started. chances are if you are  
not real easy to exploit  they'll move on to the next box.

Most here would rather report the vulnerabilities so you can fix em.

my 2cents take it for what it's worth.

On Feb 12, 2008, at 2:41 AM, Tonnerre Lombard wrote:

> Salut, Abilash,
>
> On Tue, 12 Feb 2008 02:16:02 +0530, Abilash Praveen wrote:
> > I had been talking to our web hosts the other day and they seem to
> > have a lot of unusual brute force attack on the servers recently. I'm
> > guessing that it could be because of my emails to the list? I mean,
> > do you advice on using a personal email for this type of list? Or
> > should I use something like @ gmail.com? I know they can't easily
> > break in to our servers, but am I just giving them a chance?
>
> I don't really think that this is closely related to the use of your
> mail address. Outside in the real nature, there is rain/snow/whatever,
> which occurs from time to time in some type of natural cycle, and you
> can't help it.
>
> The same goes for SPAM and worms/virii/other automated attacks.  
> They'll
> always be there, like the rain and the show. What you should do is put
> on a rain coat: make sure your systems are up to date and looking
> regularly for holes in the coat. Keep the SPAM and worms off yourself,
> and whatever flies through your network is just random noise.
>
> (But please don't deduce from this posting that you should use it as
> input in a random number generator to generate cryptographic keys!)
>
>                                 Tonnerre
> --
> SyGroup GmbH
> Tonnerre Lombard
>
> Solutions Systematiques
> Tel:+41 61 333 80 33            Güterstrasse 86
> Fax:+41 61 383 14 67            4053 Basel
> Web:www.sygroup.ch              tonnerre.lombard () sygroup ch
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Attachment: smime.p7s
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/