RE: Is this normal?

From: Andrew Shore (andrew.shore_at_holistecs.com)
Date: 10/22/04

  • Next message: Seth Hall: "RE: breakout of citrix" 
    Date: Fri, 22 Oct 2004 11:01:53 +0100
To: "Erlend Lorentzen" <er-lore@online.no>, <security-basics@securityfocus.com>

    This is far too common.

    A few simple security tips may help.

    1. Do not allow root any remote access; create a user and su if you need
    root privilege

    2. Unless you need to access the firewall from the outside block ssh
    traffic from the outside interface via the firewall software

    I wouldn't be too worried if you are seeing this traffic blocked, its
    when it gets through there's a problem.

    Andy

    -----Original Message-----
    From: Erlend Lorentzen [mailto:er-lore@online.no]
    Sent: 21 October 2004 18:49
    To: security-basics@securityfocus.com
    Subject: Is this normal?

    Hi

    I'm not very experienced with this sort of thing so please bear with me.
    The following concerns my Slackware 9.1 NAT/Firewall protecting my Home
    LAN from the Internet.

    Checking my logs today I was a bit surprised to find about 80 refused
    connection attempts to my sshd during the last month like:
    Oct 7 21:22:27 firewall sshd[9710]: refused connect from
    xxx.xxx.xxx.xxx

    I did reverse lookups on the IP's with dig and found that the attemts
    originated from a variety of hosts from Italy, Polen, Russia, Sweden and
    Pakistan to name but a few.

    One particular host had tried connecting 19 times with just a few
    seconds between tries (is he/she just trying different commonly used
    passwords?)

    Now to my questions:
    Is this Normal?
    Should I be concerned?
    Any security tips, suggestions, thoughts? (I update regularly with
    swaret (SlackwareTool), use strong random passwords, tcp wrappers)
    Anyone know a good guide to hardening Slackware?
    Anything else you'd like to mention?

    Thanks, your help is much appreciated!

    Best regards Erlend.

  • Next message: Seth Hall: "RE: breakout of citrix"

    Relevant Pages

    • RE: Linux hacked
      ... Subject: Linux hacked ... After you boot up into the OS running from CD, ... >> First let me say I'm a security novice. ... >> been unsuccessful in getting root back. ...
      (Security-Basics)
    • Re: Linux hacked
      ... is to boot your system with a separate ... You can't trust the logs, ... >> First let me say I'm a security novice. ... >> been unsuccessful in getting root back. ...
      (Security-Basics)
    • Re: [security bulletin] HPSBTU02211 SSRT071326 rev.1 - HP Tru64 UNIX Running the dop command, Lo
      ... HP Software Security Response Team ... UNIX Operating System running the dop command. ... privileges of the root user. ... echo "HP Security bulletin code identification: ...
      (Bugtraq)
    • RE: Linux hacked
      ... Also, what exactly did the history file show, can you paste it into a mail ... > First let me say I'm a security novice. ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ...
      (Security-Basics)
    • Re: Home Networking/Firewall problem
      ... filters to achieve security you're required to have such a knowledge. ... virus-scanners don't address the problem of running untrusted software, ... common implementations just add new attack vectors). ...
      (comp.security.firewalls)