[clug] mc-root anyone?

[Paul Wayper]

On 18/06/09 14:53, Daniel Pittman wrote:
> Michael Still<mikal at stillhq.com>  writes:
>> Two questions:
>> - is there anything else I should do to this machine?
>
> That depends how much paranoia you have.  My general experience, these days,
> is that many attackers are quite happy to automatically compromise a system
> and run a robot; they don't bother to go beyond that point.

My observation is that attacks on Linux systems want to run more SSH 
vulnerability checks, and infrequently a HTTP server they can put scam web 
pages on.  I haven't heard any evidence of full-blown zombie controllers under 
Linux.  (In other words, they may exist but they F-Secure and the wider Linux 
community hasn't seen them as a common occurrence).

Windows machines get zombie controllers slapped on them because they are easy 
to take over, they form the vast majority of the machines on the internet, and 
their administrators are frequently clueless.  For that reason they get the 
most attention from malware writers.

I would recommend never allowing SSH on port 22 on anything that handles a 
connection from the internet.  I have a port remapping NAT rule on my firewall 
to remap from a high port to SSH on my internal server; other people just 
change the 'Port' number in /etc/ssh/sshd_config to a highish number (2222 is 
easy to remember).  If you're paranoid, you also run fail2ban or some similar 
daemon that checks for too many password failures and bans that IP address 
automatically for a time.

These people are scanning for connections on port 22.  We haven't (yet) seen 
people trying to actually scan the ports on a remote machine looking for an 
SSH server.  When we do, believe me, you will not be able to move on the 
internet without hitting three or four sysadmins reconfiguring their 
external-facing SSH servers.

Have fun,

Paul