Botnet Survey
Mar. 11th, 2007 05:34 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
elfsSo, this morning, now that Pendorwright has come back up, I did a survey of my box, scanning for rootkits and basically doing the monthly security sweep. The machine looks okay but there were a lot of breakin attempts recorded by auth.log, brute-force dictionary attacks on the SSH server mostly. I decided to do something about by putting up a self-protecting firewall, one that uses various TCP/IP controls to block users before they even get to the "enter a password" phase.
When I first started up the program, DenyHosts, it immediately found 165 different hosts out there that were systematically trying to script-kiddie my box, throwing over 11,000 user names at it. So far, nobody but me has been able to get in, but grief, how ugly and annoying. Next thing you know, I'll have to reconfigure the secure login server to use an obscure port just to keep the log files from growing absurdly large.
When I first started up the program, DenyHosts, it immediately found 165 different hosts out there that were systematically trying to script-kiddie my box, throwing over 11,000 user names at it. So far, nobody but me has been able to get in, but grief, how ugly and annoying. Next thing you know, I'll have to reconfigure the secure login server to use an obscure port just to keep the log files from growing absurdly large.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2007-03-12 12:42 am (UTC)no subject
Date: 2007-03-12 02:33 am (UTC)no subject
Date: 2007-03-17 09:12 am (UTC)bruteblockd stares at the syslogs looking for SSH login failures. If the same IP address fails to login X times within Y minutes, that address gets plonked into the firewall, and all packets are blocked for Z minutes (where the values of X, Y, and Z are configurable). The result is that you see the bruteforce attacks in the logs, but they don't fill your disk.
In reality, though, my gateway isn't very secure. I don't know very much about writing firewall rules. The NAT daemon seems to keep most of the nasties from pwn1ng the Windoze boxen here.