On Fri, 23 Sep 2005 21:24:26 -0700
Ray Percival <[EMAIL PROTECTED]> wrote:
> Yeah. This is only a threat against *really* weak boxes. Having said
> that I've seen a lot of posts talking about changing ports. That's a
> line that I won't cross. I refuse to hide from the bots and it's not
> even a speedbump against somebody who is a real threat. But that just
> my personalline in the sand.
I agree, but I've personally been the victim of such an attack, it's a
pain in the ass when you can't su to root, or login on the console.
What they did was to exploit gzip, I'm fairly certain. I could not
apt-get of course and thus left helpless. I no longer have faith in user
passwords. I do my best to prevent people using common user names
(besides myself who uses 'ed' of course, but with a descent password).
The account abused was dominic/dominic, at the time this account was
created the box did not have ssh open, and it was never an idea to, but
then the service was opened and about 6 weeks later it was thoroughly
shafted.
I use the following now:
rdr pass on $ext_if proto tcp from any to 1.2.3.4 port {22,3389} ->
10.10.10.10
block quick drop from abuse_src
pass in on $ext_if proto tcp from any to $range port {22,3389} keep
state ( max-src-conn 3, max-src-conn-rate 2/5, overload flush global )
After several weeks I have accumulated a list of about 60 IP blocks. I
am wondering if block quick drop from abuse_src/24 is possible? But most
the IP addresses are not sequential.
--
A horse is a horse, of course, of course, And no one can talk to a
horse, of course, Unless, of course, the horse, of course, Is the famous
Mr. Ed! http://www.usenix.org.uk - http://irc.is-cool.net
