On Tue, Oct 04, 2005 at 05:51:00PM -0500, Steve Block wrote: > Thanks for the extra info, Noah. I use the password library from the > openwall project to enforce strong passwords/passphrases on the system, > make sure daemons can't log in, etc. I'm not going to worry about these > automated scans too much, and I'll just keep auto-blocking anyone hammering > the SSH server.
FWIW, my site has several hundred Debian workstations, most of which run sshd. The only times I've ever seen these worms get in are when people create "temporary" accounts or something like that. We had a user who didn't know how to set up postgres authentication, so he gave the postgres user a password of "password" so he could su to it easily. Our user accounts have been OK. I set up a user-mode-linux machine at one point and deliberately gave it a stupidly easy password. The worm got in and phoned home, and after a few minutes a real person logged in. He tried a couple of rootkits, which didn't work, and then just set up an IRC bot running as the non-privilaged user whose account he was using. In general, there's really not much interesting about these worms or the kiddies running them... noah
signature.asc
Description: Digital signature
