Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Hail Mary Cloud and the Lessons Learned

Posted by timothy on from the not-so-full-of-grace dept.

badger.foo writes "Against ridiculous odds and even after gaining some media focus, the botnet dubbed The Hail Mary Cloud apparently succeeded in staying under the radar and kept compromising Linux machines for several years. This article sums up the known facts about the botnet and suggests some practical measures to keep your servers safe."

5 of 99 comments (clear)

  1. Denyhosts by mcelrath · · Score: 5, Informative

    The solution to low-frequency brute force attempts is Denyhosts. It just blocks any host with repeated failed login attempts. I've been using it for longer than I can remember, probably longer than this "Hail Mary" botnet has been in existence. I'm not sure why this author seems to have never heard of it.

    --
    1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 1=0.
    1. Re:Denyhosts by Anonymous Coward · · Score: 5, Informative

      Another useful software for auto-banning bad accesses is fail2ban which can also handle other services, like exim, vsftp, apache, etc.

    2. Re:Denyhosts by Noryungi · · Score: 3, Informative

      I second that: DenyHosts is now mandatory on all the Linux servers I manage, and allows one to protect servers against that type of attacks with minimal effort.

      Please note that the author did not mention Denyhosts since his servers run OpenBSD, which incorporates DenyHosts functionality through ''pf'', its packet filter/firewall software (see the brute-force configuration of pf for more details).

      --
      The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
    3. Re:Denyhosts by module0000 · · Score: 4, Informative

      If you like DenyHosts - look at fail2ban. It has all the functionality of the older DenyHosts project and more. You can ban based on more than failed ssh logins - but any type of logfile imaginable. With customized responses to X login failures per Y time units for Z service. You'll find it in the repo's for all debian/rhel based distributions.

      --
      Trackball users will be first against the wall.
  2. Executive summary by Anonymous Coward · · Score: 5, Informative

    "I've managed to get my name on slashdot a lot"

    "Use key auth instead of passwords"

    "My references are my own blog posts"

    There's nothing interesting to see here. Don't allow password logins to your system, because you can't trust people to use good passwords. It's 2013, there's no cake for pointing this out.