Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sloppy Linux Admins Enable Slow Brute-Force Attacks

Posted by kdawson on from the time-lapse-intrusion-monitering dept.

badger.foo passes on the report of Peter N. M. Hansteen that a third round of low-intensity, distributed brute-force attacks is now in progress — we earlier discussed the first and second rounds — and that sloppy admin practice on Linux systems is the main enabler. As before, the article links to log data (this time 770 apparently already compromised Linux hosts are involved), and further references. "The fact that your rig runs Linux does not mean you're home free. You need to keep paying attention. When your spam washer has been hijacked and tries to break into other people's systems, you urgently need to get your act together, right now."

4 of 391 comments (clear)

  1. Re:Outward facing systems ... by quintus_horatius · · Score: 5, Insightful

    And perhaps set your SSH port to a non-standard port, where possible? Brute-force attackers seem to ignore high (> 1023) ports.

  2. Re:Outward facing systems ... by icydog · · Score: 5, Insightful

    I agree with your post if only one person needs access to the box (and i agree with PermitRootLogin no always). But while public key auth is great, it just isn't feasible for many applications. For example, imagine you're a cheap webhost that provides ssh, scp, sftp access to your users, Do you require them all to use public keys auth? 90% of them don't even know what that means. What a support headache.

    And public keys aren't always that secure either. There are probably still plenty of servers with weak keys from the Debian debacle. What do you do with those users if password authentication is disallowed? Just lock them out and make them call you for a key reset?

  3. A REALLY SLOW attack ... by Jerry · · Score: 5, Insightful

    This attack was first reported last November, eleven months ago, and again in April of this year, 180 days ago.

    IF the bad guys have been able to capture only 770 Linux boxes since April that is only slightly more than 4 boxes per day. At that rate it would take them 833 years to create a Linux bot farm equal in size to the 1.3 Million Windows bot farm recently reported. Out of the millions of Linux boxes in use 770 represents a vanishingly small threat.

    Using this "threat" as an excuse NOT to move from Windows to Linux, or to move from Linux back to Windows, would be similar to playing Russian roulette with a fully loaded revolver and hoping to survive.

    --

    Running with Linux for over 20 years!

  4. Re:Outward facing systems ... by cetialphav · · Score: 5, Insightful

    Port knocking is a good way to conceal that ssh is available.

    I guess it depends on what type of attacker you are trying to protect against. For attackers that are trolling around looking for easy targets, then things like this that add obscurity probably make sense. On the other hand, if I were in charge of a high value target, then I probably wouldn't bother. A high value target will have knowledgeable attackers who are very focused on exploiting you. In those cases, things like this are only mild inconveniences that will not make them give up. The port knocking sequence needed to open up ssh is not exactly a secret. It gets exposed in the clear to the network on every ssh connection. For high value targets, I would actually want the system as simple as possible to reduce the possiblity that a bug in one of the obscurity features actually becomes the attack vector.

    Using port knocking is like locking my car door. It makes it harder for lazy, stupid thieves to get into my car, but it does absolutely nothing for someone who really, really wants to steal my car because a good thief can bypass it in a trivial amount of time.