Thursday, July 21, 2011

Re: [BLUG] How many of you run home servers?

Yes, I gave a talk on this 4 years ago. I did have an article for it on
the BLUG wiki and a graph showing the growth of the worm over a few
months, but I haven't had time to recover the wiki since it broke after
a PHP upgrade. Sorry about that.

Anyways, hashlimit has worked quite well. The problem that I was
running into was that the worm that was running around trying every
first name as a username was hitting my servers so hard that it opened
up enough connections to prevent normal users from logging in. So I
turned on hashlimit in the firewall and that stopped the problem. I
also decided at that point that I would move my servers that don't need
ssh access by customers to a custom port. I found one suitable by
searching a years worth of firewall logs and found one that hadn't ever
been hit by port scanners. There are actually several ports like this
so don't ask me which one I use. This is an exercise left to the reader.
;-)

So you can see, there are other issues besides just "if they get the
right username and password", they can practically DOS your system.
Back in 2005 I think I was getting somewhere around 60,000 login
attempts per day.

On Wed, Jul 20, 2011 at 08:51:55PM GMT, Williams, Jeffery Allen [jefjewil@indiana.edu] said the following:
> A while back (3 or more years) there was a discussion about ssh brute force attacks. (I think Mark sent something related to SUSO getting hammered.) Since then, I have limited the number of connection attempts per source IP to 4 / minute using hashlimit in iptables. I have other lines that limit service connections to a few per second from any source (ntp for instance). I also have a few things where I reject the first few connection attempts and after that all attempts are dropped until things quiet down.
>
> I also have notes in my firewall script about portsentry. But I don't know if that's still a thing.
>
> Finally, my router is a piece of crap. If too many connection attempts happen at once it just locks up until it's power cycled. This further prevents brute force attacks (but is more than a little annoying).
>
> Jeffery Williams
> Software Engineer
> ISAT Hall
> 867-5309
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>

--
Mark Krenz
Bloomington Linux Users Group
http://www.bloomingtonlinux.org/

Sent from Mutt using Linux
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)