Re: Brute force attack - need your advice

[<dudevanwinkle () hush ai>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NP FULL-DISCLOSURE ALWAYS IS HAPPY TO SUPPORT AL QAEDA

On Tue, 12 Feb 2008 03:51:02 -0500 Abilash Praveen
<contactme () abilashpraveen com> wrote:
> Hello experts,
>
> Thank for all your rude, honest, polite, helpful replies. I'm
> really glad I
> posted here and most of your replies (if not all) are very useful
> to me.
> Sorry iam not able to reply individually to everyone and thank
> you. I've
> been using a couple of servers and it was very unusal for me to
> get brute
> force on the server in which my persona website is hosted. That is
> the
> reason i posted this question.
>
> Anyway, I shall keep the server tight. Thanks for the port scan
> report you
> have pasted and also the advice on keeping the SSH on a different
> port.
> Thanks again to everyone who has replied.
>
> Kind regards,
> Abilash
>
>
> On 2/12/08, Keith Kilroy <keith () securitynow us> wrote:
> > Lock down your server so only needed ports are open, move ssh
> above
> > the norm scan range, setup SNORT and learn how to use it, harden
> and
> > update all progz. Check for web app holes.....buffer overflows
> etc.
> > The only box that is safe is the one unplugged hdd removed and
> > destroyed and rest of system locked in a closet.
> >
> > I just came off a gig with a presidential candidate (a lot of
> attacks
> > are targeted at those guys), ever heard of DDOS and botnets.
> move all
> > default ports you can and have their services report different
> than
> > what is really there.
> >
> > Just perform your due diligence and watch and archive your logs.
> >
> > If you are detecting the brute force attacks then you can stop
> them.
> > Believe me if you've posted anywhere before your email is out
> anyway.
> > Just try to stay ahead of the curve. Harden, log, respond. Oh
> yeah be
> > sure to perform your backups, if someone besides a Script Kiddie
> wants
> > in they'll get in. The only way to get ISP's to cooperate
> sometimes
> > involve getting the FBI involved (very fun and time consuming)
> but be
> > ready for them to seize your servers until either you (if a
> forensic
> > specialist) or they create a sound image /w hashes of your
> drives. but
> > most can be traced to the source if it too bad, you'll just go
> through
> > hell and strict guidelines that must be followed if you get them
> > involved. But if you try to hack back you'll be on the wrong
> side of
> > the bars. so tread lightly. better off securing your stuff and
> > monitoring with dynamic blocking that times out after a period
> of
> > time. Rank the attacker when it hits a 5 blockem for 30 min then
> if it
> > reoccurs and they achieve a high score then auto block em again
> > longer. the scripts are not that hard to write. Heck you can
> even
> > google and download some to get you started. chances are if you
> are
> > not real easy to exploit  they'll move on to the next box.
> >
> > Most here would rather report the vulnerabilities so you can fix
> em.
> > my 2cents take it for what it's worth.
> >
> > On Feb 12, 2008, at 2:41 AM, Tonnerre Lombard wrote:
> >
> > > Salut, Abilash,
> > >
> > > On Tue, 12 Feb 2008 02:16:02 +0530, Abilash Praveen wrote:
> > > > I had been talking to our web hosts the other day and they
> seem to
> > > > have a lot of unusual brute force attack on the servers
> recently. I'm
> > > > guessing that it could be because of my emails to the list? I
> mean,
> > > > do you advice on using a personal email for this type of
> list? Or
> > > > should I use something like @ gmail.com? I know they can't
> easily
> > > > break in to our servers, but am I just giving them a chance?
> > >
> > > I don't really think that this is closely related to the use
> of your
> > > mail address. Outside in the real nature, there is
> rain/snow/whatever,
> > > which occurs from time to time in some type of natural cycle,
> and you
> > > can't help it.
> > >
> > > The same goes for SPAM and worms/virii/other automated
> attacks.
> > > They'll
> > > always be there, like the rain and the show. What you should
> do is put
> > > on a rain coat: make sure your systems are up to date and
> looking
> > > regularly for holes in the coat. Keep the SPAM and worms off
> yourself,
> > > and whatever flies through your network is just random noise.
> > >
> > > (But please don't deduce from this posting that you should use
> it as
> > > input in a random number generator to generate cryptographic
> keys!)
> > >                               Tonnerre
> > > --
> > > SyGroup GmbH
> > > Tonnerre Lombard
> > >
> > > Solutions Systematiques
> > > Tel:+41 61 333 80 33          Güterstrasse 86
> > > Fax:+41 61 383 14 67          4053 Basel
> > > Web:www.sygroup.ch            tonnerre.lombard () sygroup ch
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Charset: UTF8
Version: Hush 2.5

wpwEAQECAAYFAkexyisACgkQ+cOIFG8Ql/6QNAP/RpoHcmhVBULCKwq75G1HVY0TnrxU
4lcN7JpHINrM0NNKN07JHZ4xgjLLJfwrTZ+O07509lkNM/RQll38HA0r+BREzna8FFzy
S9MCDUnS1QuE92FDOUa9TfwpzStaGoTBcb2bajPgGxV59RTtGw6v0jnz9etcEDFJlf3X
FA35OHQ=
=0Q7Z
-----END PGP SIGNATURE-----

--
Discount Online Trading - Click Now!
http://tagline.hushmail.com/fc/Ioyw6h4dPYx1KXwtz4Z4abkdjew1xIEcWnwgsSY3SfD76NTooqNaoI/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/