Full Disclosure mailing list archives
Re: Brute force attack - need your advice
From: <dudevanwinkle () hush ai>
Date: Tue, 12 Feb 2008 11:34:23 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NP FULL-DISCLOSURE ALWAYS IS HAPPY TO SUPPORT AL QAEDA On Tue, 12 Feb 2008 03:51:02 -0500 Abilash Praveen <contactme () abilashpraveen com> wrote:
Hello experts, Thank for all your rude, honest, polite, helpful replies. I'm really glad I posted here and most of your replies (if not all) are very useful to me. Sorry iam not able to reply individually to everyone and thank you. I've been using a couple of servers and it was very unusal for me to get brute force on the server in which my persona website is hosted. That is the reason i posted this question. Anyway, I shall keep the server tight. Thanks for the port scan report you have pasted and also the advice on keeping the SSH on a different port. Thanks again to everyone who has replied. Kind regards, Abilash On 2/12/08, Keith Kilroy <keith () securitynow us> wrote:Lock down your server so only needed ports are open, move sshabovethe norm scan range, setup SNORT and learn how to use it, hardenandupdate all progz. Check for web app holes.....buffer overflowsetc.The only box that is safe is the one unplugged hdd removed and destroyed and rest of system locked in a closet. I just came off a gig with a presidential candidate (a lot ofattacksare targeted at those guys), ever heard of DDOS and botnets.move alldefault ports you can and have their services report differentthanwhat is really there. Just perform your due diligence and watch and archive your logs. If you are detecting the brute force attacks then you can stopthem.Believe me if you've posted anywhere before your email is outanyway.Just try to stay ahead of the curve. Harden, log, respond. Ohyeah besure to perform your backups, if someone besides a Script Kiddiewantsin they'll get in. The only way to get ISP's to cooperatesometimesinvolve getting the FBI involved (very fun and time consuming)but beready for them to seize your servers until either you (if aforensicspecialist) or they create a sound image /w hashes of yourdrives. butmost can be traced to the source if it too bad, you'll just gothroughhell and strict guidelines that must be followed if you get them involved. But if you try to hack back you'll be on the wrongside ofthe bars. so tread lightly. better off securing your stuff and monitoring with dynamic blocking that times out after a periodoftime. Rank the attacker when it hits a 5 blockem for 30 min thenif itreoccurs and they achieve a high score then auto block em again longer. the scripts are not that hard to write. Heck you canevengoogle and download some to get you started. chances are if youarenot real easy to exploit they'll move on to the next box. Most here would rather report the vulnerabilities so you can fixem.my 2cents take it for what it's worth. On Feb 12, 2008, at 2:41 AM, Tonnerre Lombard wrote:Salut, Abilash, On Tue, 12 Feb 2008 02:16:02 +0530, Abilash Praveen wrote:I had been talking to our web hosts the other day and theyseem tohave a lot of unusual brute force attack on the serversrecently. I'mguessing that it could be because of my emails to the list? Imean,do you advice on using a personal email for this type oflist? Orshould I use something like @ gmail.com? I know they can'teasilybreak in to our servers, but am I just giving them a chance?I don't really think that this is closely related to the useof yourmail address. Outside in the real nature, there israin/snow/whatever,which occurs from time to time in some type of natural cycle,and youcan't help it. The same goes for SPAM and worms/virii/other automatedattacks.They'll always be there, like the rain and the show. What you shoulddo is puton a rain coat: make sure your systems are up to date andlookingregularly for holes in the coat. Keep the SPAM and worms offyourself,and whatever flies through your network is just random noise. (But please don't deduce from this posting that you should useit asinput in a random number generator to generate cryptographickeys!)Tonnerre -- SyGroup GmbH Tonnerre Lombard Solutions Systematiques Tel:+41 61 333 80 33 Güterstrasse 86 Fax:+41 61 383 14 67 4053 Basel Web:www.sygroup.ch tonnerre.lombard () sygroup ch _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Charset: UTF8 Version: Hush 2.5 wpwEAQECAAYFAkexyisACgkQ+cOIFG8Ql/6QNAP/RpoHcmhVBULCKwq75G1HVY0TnrxU 4lcN7JpHINrM0NNKN07JHZ4xgjLLJfwrTZ+O07509lkNM/RQll38HA0r+BREzna8FFzy S9MCDUnS1QuE92FDOUa9TfwpzStaGoTBcb2bajPgGxV59RTtGw6v0jnz9etcEDFJlf3X FA35OHQ= =0Q7Z -----END PGP SIGNATURE----- -- Discount Online Trading - Click Now! http://tagline.hushmail.com/fc/Ioyw6h4dPYx1KXwtz4Z4abkdjew1xIEcWnwgsSY3SfD76NTooqNaoI/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Brute force attack - need your advice, (continued)
- Re: Brute force attack - need your advice Tonnerre Lombard (Feb 12)
- Re: Brute force attack - need your advice Valdis . Kletnieks (Feb 12)
- Re: Brute force attack - need your advice Simon Smith (Feb 12)
- Message not available
- Re: Brute force attack - need your advice Simon Smith (Feb 12)
- Re: Brute force attack - need your advice Keith Kilroy (Feb 12)
- Re: Brute force attack - need your advice Tonnerre Lombard (Feb 12)
- Re: Brute force attack - need your advice Keith Kilroy (Feb 12)