SCIENTIFIC-LINUX-USERS Archives

October 2008

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Security Breach
From:
Dr Andrew C Aitchison <[log in to unmask]>
Reply To:
Dr Andrew C Aitchison <[log in to unmask]>
Date:
Thu, 2 Oct 2008 09:59:53 +0100
Content-Type:
TEXT/PLAIN
Parts/Attachments:
TEXT/PLAIN (50 lines) 
On Thu, 2 Oct 2008, John Summerfield wrote:

> To breach my system, the cracker needs a distributed attack or to be lucky.

I've seen several distributed attacks - there is one ongoing on my machine
at the moment:

Sep 30 17:59:00 brambing sshd[]: error: PAM: Authentication failure for illegal user aaa from abu66.internetdsl.tpnet.pl
Sep 30 18:00:58 brambing sshd[]: error: PAM: Authentication failure for illegal user aaa from 200.53.121.213
Sep 30 18:01:35 brambing sshd[]: error: PAM: Authentication failure for illegal user aaa from 80.48.204.226
Sep 30 18:02:05 brambing sshd[]: error: PAM: Authentication failure for illegal user aaa from customer-200-79-25-39.uninet.net.mx
Sep 30 18:11:54 brambing sshd[]: error: PAM: Authentication failure for illegal user aaa from 201.28.119.60
Sep 30 18:14:45 brambing sshd[]: error: PAM: Authentication failure for illegal user aaa from 189.36.160.62
Sep 30 18:15:27 brambing sshd[]: error: PAM: Authentication failure for illegal user aab from port668.ds1-oebr.adsl.cybercity.dk
Sep 30 18:21:17 brambing sshd[]: error: PAM: Authentication failure for illegal user aaj from mail.cooperativalehmann.com.ar
 	...	...	...
Oct  2 01:57:18 brambing sshd[]: error: PAM: Authentication failure for illegal user bnn from 218.28.143.246
Oct  2 02:29:27 brambing sshd[]: error: PAM: Authentication failure for illegal user bno from 58.223.242.246
Oct  2 03:03:15 brambing sshd[]: error: PAM: Authentication failure for illegal user bnp from 211.94.209.19
Oct  2 03:36:16 brambing sshd[]: error: PAM: Authentication failure for illegal user bnq from 211.94.209.19
Oct  2 04:08:00 brambing sshd[]: error: PAM: Authentication failure for illegal user bnr from 203.98.175.182
Oct  2 05:17:00 brambing sshd[]: error: PAM: Authentication failure for illegal user bnt from 189.43.21.244
Oct  2 05:51:30 brambing sshd[]: error: PAM: Authentication failure for illegal user bnu from 189.43.21.244
Oct  2 07:35:19 brambing sshd[]: error: PAM: Authentication failure for illegal user bnx from 58.223.242.246
Oct  2 08:11:01 brambing sshd[]: error: PAM: Authentication failure for illegal user bny from 80.118.132.88


> What might be useful, but I don't have enough public IP addresses that I've 
> bothered with it, is to have network-wide monitoring where an intrusion 
> attempt at one site results in the cracker's being blocked at all firewalls.

We have a script which adds blocks to our site firewall whenever a remote
machine makes too many connections in too short a time.
This catches scripts scanning a range of ip addresses but isn't so good
at the scripts which make a slow trickle of connections over a long period.

> You should not assume that a possessor of your laptop is a user, but you 
> could require the user to authenticate via the VPN before trusting the 
> laptop. Of course, you do not want the user to use a stored password (so 
> http/https is out) or for ~/.bash_history to contain useful clues.

ssh-agent means that although the ssh keys aren't stored on disk
they *are* held in memory much of the time. Given that many laptops
are suspended and rarely rebooted, do you have a way of ensuring
that the machine regularly reconfirms the user's identity ?

-- 
Dr. Andrew C. Aitchison		Computer Officer, DPMMS, Cambridge
[log in to unmask]	http://www.dpmms.cam.ac.uk/~werdna

ATOM RSS1 RSS2