Break-In Attempt -- Now What?

Tim Writer tim-s/rLXaiAEBtBDgjK7y7TUQ at public.gmane.org
Tue Nov 30 20:59:40 UTC 2004 

Alex Beamish <talexb-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> writes:

> On Tue, 30 Nov 2004 11:00:29 -0500, Peter King <peter.king-H217xnMUJC0sA/PxXw9srA at public.gmane.org> wrote:
> [..]
> > 
> > Okay, NOW WHAT?
> > 
> > I found the computer, and even have limited access to it; apart from
> > wanting to take it down as payback, I had and have no clue what to do
> > next. The Voice Over My Shoulder told me to give it up and go back to
> > rechecking those firewall rules. But I can't help but think if I just
> > knew a bit more, I could do something -- like find out the guy's ISP and
> > send them a note about cracker attempts.
> > 
> > Advice? Suggestions? (Other than "Get a life" I mean.)
> 
> Retribution? Don't bother. As other posters have mentioned, that
> machine you found is likely itself already hacked. I suppose you could
> write to the ISP, alerting them to the attack.
> 
> My first suggestion is to disable root login from SSH -- a suggestion
> that floated by on the list recently. Great advice .. I made that
> setting change immediately.

Even better is to disable password based logins, allowing only key based
logins.  This secures you against dictionary based attacks.  Barring flaws in
ssh itself, an attacker would need your private ssh key and associated pass
phrase to get into your computer via ssh.

> Is it possible to limit the range of IPs that SSH will accept a
> connection from? If you're leaving a connection open so you (or
> others) can log in from a couple of known locations, that kind of
> security will work fine.

If you take the above steps and keep ssh up-to-date, this (locking down ssh
access to a few IPs) buys you only a little additional security at quite a
cost in terms of inconvenience.

-- 
tim writer <tim-s/rLXaiAEBtBDgjK7y7TUQ at public.gmane.org>                                  starnix inc.
647.722.5301                                      toronto, ontario, canada
http://www.starnix.com              professional linux services & products
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list