[clug] Stopping them at the door

Antti.Roppola at brs.gov.au Antti.Roppola at brs.gov.au
Mon Feb 14 01:05:03 GMT 2005 

How many sites/netwprks do you actually connect from?

When I had ssh listening on my home firewall (I used it so infrequently
I switched it off altogether), iptables was set up to only allow
connections from specific networks. Anywhere else never saw the login.

Less feasible for a large site, but how many of your users are
actually using ssh anyway?

I'd take it as a given that a broken account will be escalated, AFAIK
there's many more opportunities once someone's foot is in the door.
Any expert commentary on this assumption of mine?

Antti

-----Original Message-----
From: Paul Wayper [mailto:paul.wayper at anu.edu.au] 
Sent: Monday, 14 February 2005 11:34 AM
To: linux at lists.samba.org
Subject: [clug] Stopping them at the door

Hi there!

As a good administrator, I read the nightly logs of attempted logins and send a message to the abuse contacts for each IP that tries to do a login scan of my machine.  All of the attacks I've seen so far are just scans of common insecure logins, but what I'm worried about is coming in in the morning to find the logs saying someone's bashed away with a brute force password checker and found my password (they'll be trying to find an eight letter made-up word, and I imagine if they started a minute after I left in the afternoon they'd still be bashing away on it by the time I came back next morning.)

The question I have is: if someone's managed to get access to a non-root account, how certain is it that they can get root access?  Is it just going to be a matter of uploading a program or typing in a special command, or is there something I can do to slow these types of attacks down?  Is SELinux the answer?  Or is it just a matter of picking good passwords for all the login accounts and hoping?

On a related note, how do I lengthen the amount of time the system stores the security logs?

Thanks in advance,

Paul

--
-- Paul Wayper at ANU - +61 2 6125 0643

--
linux mailing list
linux at lists.samba.org
https://lists.samba.org/mailman/listinfo/linux

---------------------------------------------------------------------- 
IMPORTANT - This message has been issued by The Department of Agriculture, Fisheries and Forestry (DAFF).  The information transmitted is for the use of the intended recipient only and may contain confidential and/or legally privileged material.  It is your responsibility to check any attachments for viruses and defects before opening or sending them on.  
Any reproduction, publication, communication, re-transmission, disclosure, dissemination or other use of the information contained in this e-mail by persons or entities other than the intended recipient is prohibited.  The taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited.  If you have received this e-mail in error please notify the sender and delete all copies of this transmission together with any attachments.  If you have received this e-mail as part of a valid mailing list and no longer want to receive a message such as this one advise the sender by return e-mail accordingly.  Only e-mail correspondence which includes this footer, has been authorised by DAFF 
----------------------------------------------------------------------

More information about the linux mailing list