Catch the Phillies Phever World Series 2008 Unique Collectibles and T's

« dipolar battery
roman originz »

BotNets

Perhaps the single biggest security threat for networked systems going forward is represented by botnets, defined as collections of compromised computer systems used for a variety of criminal activities, including distributed denial-of-service attacks, spamming, traffic sniffing, keylogging, identity theft, and click fraud …

(1) Spammer’s web site
(2) Spammer
(3) Spamware
(4) Infected computers
(5) Virus or trojan
(6) Mail servers
(7) Users
(8) Web traffic

Propagation of zombie code has been observed to occur through a number of Windows-specific worms, viruses, Trojans, and other forms of malware …

Most owners of zombie computers are unaware that their system is being used in this way. Because the owner tends to be unaware, these computers are metaphorically compared to zombies.

While it is true that computers running Linux are not subject to the many worms, viruses, and other malware that target Windows platforms, the Linux platform (taking advantage of Linux Security Model with Mandatory Access Control) is known to be vulnerable to other forms of exploitation.

Recent studies of vulnerability trends point to two primary attack vectors: brute-force attacks against remote services such as SSH, FTP, and telnet, and Web application vulnerabilities …

Even this example password asutcmhack123@ received a “Best” rating when tested with Microsoft’s online Password Checker tool but still got hacked on a slow-motion brute-force SSH attack.

I believe that enforcing strong passwords is arguably the most important step system administrators can take to protect SSH servers from brute-force password attacks. 

Second, study results show that the root account was targeted in more than 25 percent of all malicious login attempts. Therefore, by disabling access to this account, system administrators can render useless a significant percentage of malicious traffic.

Third, run the SSH server on a non-standard high port to trump automated botnet hunts.

Fourth, using TCP Wrappers or iptables like DenyHosts or BlockHosts and fail2ban to block IP addresses after repeated failed login attempts.

It was found that over 93 percent of the 271 malicious IP addresses collected in a recent Jan’08 study were listed in the /etc/hosts.deny file a local server synchronized with the DenyHosts central database. Servers using this service would therefore have been protected from the vast majority of the attacks observed in the study.

Fifth, another  easier method for quick fixes once an attack is identified is what I’ve done in the past is to create an iptables to restrict access to the SSH port by source IP address by simply adding source address restrictions to iptables firewall rules. But this is per IP and your design of prevention iptables needs to be carefully done or your accidentially miswrite a rule and create vunerabilities…

Sixth a more complicated approach is to set up port-knocking or single packet authorization to restrict access to the SSH server port.

Seventh use OpenSSH to Require public-key authentication in place of passwords is a method I am becoming more and more familiar with at work…