Re: Brute force attack - need your advice

[keith () securitynow us]

Hello Tonnerre,

"I personally think that Snort is snake oil."
It can be a pain to get setup and to actually reduce false positives, been using since begining of project, but 
requires a lot of learning to setup properly" and as I stated nothing is foolproof or totally secure. Other measures 
need deployed as well such as an application level firewall. I disagree with the snake oil statement (we'll agree to 
disagree here) but do agree someone that does not use it on a daily basis it is very hard to work through at first.

"Apart from the fact that you cannot destroy a hard disk in a way that
makes it unrecoverable (with expensive equipment and time), this is
pure populism." 

It takes quite a bit of heat and even then some data can be recovered, from magnetic residue, in labs. Usually cost 
prohibitive unless someone really wants your data bad and has a big budget. 

But please state a config that someone with experience can not get into, is more of a point that security is ever 
evolving.

"This is security by obscurity. If you just fiddle with the ports which
were open for a second, it is pretty easy to determine which service is
running on it. I see no point at all in all of this port changing."

Yup it is security by obscurity and it will help against a script kiddie that won't take the time to scan all ports, 
thats why I suggested move to a high non-standard port. 

"But I don't agree to ...

> write. Heck you can even google and download some to get you started.

...using any script Google finds, some have nasty bugs and blacklist
the wrong hosts (e.g. if you set an user name with spaces). You clearly
don't want your DNS server blacklisted, for example."

I'm not talking about downloading blacklists but dynamic firewall rules and scripting to achieve a dynamic list based 
on ranking of attacks against the box. Google does have a few references and examples that can be modified if 
necessary. I'm going under the assumption that scripting is not second nature to the tech setting up.

Blacklists downloaded, for lack of a better term suck.

Tonnerre I appreciate your comments too, debating is a good thing on things like this.

Keith

<a href="http://www.linkedin.com/in/keithkilroy"; ><img src="http://www.linkedin.com/img/webpromo/btn_viewmy_160x25.gif"; 
width="160" height="25" border="0" alt="View Keith Kilroy's profile on LinkedIn"></a>

-----Original Message-----
From: Tonnerre Lombard <tonnerre.lombard () sygroup ch>
Sent: Tuesday, February 12, 2008 7:20am
To: Keith Kilroy <keith () securitynow us>
Cc: Abilash Praveen <contactme () abilashpraveen com>, full-disclosure <full-disclosure () lists grok org uk>
Subject: Re: [Full-disclosure] Brute force attack - need your advice

Salut, Keith,

On Tue, 12 Feb 2008 03:21:20 -0500, Keith Kilroy wrote:
> Lock down your server so only needed ports are open, move ssh above  
> the norm scan range, setup SNORT and learn how to use it, harden and  
> update all progz. Check for web app holes.....buffer overflows etc.

While I agree with locking down and checking for vulnerabilities, I
personally think that Snort is snake oil. It hardly ever detected
attacks for me which could have harmed my systems. (There were quite a
bunch of them, but they went mostly unnoticed.)

There are behavior based, autolearning IDS modes, but I've had my
experiences with jumping in public parking lots (which caused terror
alert because the IDS wasn't used to people jumping), so I am quite
sceptic of that as well.

> The only box that is safe is the one unplugged hdd removed and  
> destroyed and rest of system locked in a closet.

Apart from the fact that you cannot destroy a hard disk in a way that
makes it unrecoverable (with expensive equipment and time), this is
pure populism.

> Just perform your due diligence and watch and archive your logs.

I agree here; and don't log to syslog on localhost, have a separate
logging host like syslog is intended to be used...

> are targeted at those guys), ever heard of DDOS and botnets. move all  
> default ports you can and have their services report different than  
> what is really there.

This is security by obscurity. If you just fiddle with the ports which
were open for a second, it is pretty easy to determine which service is
running on it. I see no point at all in all of this port changing.

> If you are detecting the brute force attacks then you can stop them.

Apart from the bandwidth induced, bruteforce attacks are pretty useless
if you have sanely chosen passwords. And in the age of Tengig networks,
the bandwidth penalty is minimal.

> anyway. Just try to stay ahead of the curve. Harden, log, respond. Oh
> yeah be sure to perform your backups, if someone besides a Script

I totally agree to backups though, for various reasons[1]. ;-)

> [Lines of acute paranoia scrapped]
> securing your stuff and monitoring with dynamic blocking that times
> out after a period of time. Rank the attacker when it hits a 5
> blockem for 30 min then if it reoccurs and they achieve a high score

This is pretty useful for various purposes, also for saving bandwidth
used by brute force attackers. But I don't agree to ...

> write. Heck you can even google and download some to get you started.

...using any script Google finds, some have nasty bugs and blacklist
the wrong hosts (e.g. if you set an user name with spaces). You clearly
don't want your DNS server blacklisted, for example.

                                Tonnerre

[1]: No, a RAID1 is not a backup.
-- 
SyGroup GmbH
Tonnerre Lombard

Solutions Systematiques
Tel:+41 61 333 80 33            Güterstrasse 86
Fax:+41 61 383 14 67            4053 Basel
Web:www.sygroup.ch              tonnerre.lombard () sygroup ch


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/