This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[anti-abuse-wg] Enough is enoug

Previous message (by thread): [anti-abuse-wg] Enough is enoug
Next message (by thread): [anti-abuse-wg] Enough is enoug

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Shane Kerr shane at time-travellers.org
Fri Mar 9 08:46:15 CET 2012

Dear anonymous Internet person,

On Friday, 2012-03-09 03:44:45 +0200, 
<info at dhn.li> wrote:
> i need help on people that every day try to hack our server
> for example this is just for to days log from fail2ban
> i made maximum try count 4 and 600 sec. than thay try later 600 sec
> again non stop please take control who they are and why they try
> endles, least 6 months our server IP 85.10.198.87

While it is possible that these are targeted attacks, most likely these
are just automated systems doing scans of random systems on the
Internet, looking for common vulnerabilities.

Personally I use denyhosts on my machines, which puts the offenders
in /etc/hosts.deny permanently. I just put up a machine 8 days ago, and
it already has 32 entries. Basically this means that any host on the
Internet that is listening on the SSH port is going to get constant
attempts of someone to hack the machine.

Question to the room - does anyone have a similar technology that works
with IPv6? AFAIK both denyhosts and fail2ban only work for IPv4. :(

Anyway, back to securing the boxes... You're already using fail2ban
which makes brute force login attempts impractical, so you probably
don't need to worry too much, unless you let users pick their own
passwords in which case they may either pick very insecure passwords or
use the same ones everywhere. Many web sites store their passwords
unencrypted, and if they get hacked then your users' passwords can be
compromised. If you control the passwords of all accounts, then you can
pick practically safe ones, otherwise you may want to consider
requiring public key authentication. 

If you're thinking about the larger issue of how to stop such
attacks... I don't know. Surely some ISPs are better or worse than
others, but in the end any compromised host on the Internet can be the
source of such attacks. I kind of think it will require similar effort
to anti-spam work, and it doesn't annoy people on a daily basis in the
same way that spam does.

Good luck sir,

--
Shane

Previous message (by thread): [anti-abuse-wg] Enough is enoug
Next message (by thread): [anti-abuse-wg] Enough is enoug

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ anti-abuse-wg Archives ]