Need help!

Matthew T. Eskes meskes at azcomputercentral.com
Sun May 1 05:53:10 CDT 2005 

Jack wrote:

>--- "D. Hageman" wrote:
>  
>
>>On Sat, 30 Apr 2005, Jack wrote:
>>    
>>
>>>Taking the box offline would take down my mail
>>>      
>>>
>>server.
>>    
>>
>>>I use this yahoo account for kclug, but I get all
>>>      
>>>
>>my
>>    
>>
>>>regular mail through accounts on my mail server. I
>>>didn't say the box has been compromised, I just
>>>      
>>>
>>want
>>    
>>
>>>advice on blocking these attacks as much as
>>>      
>>>
>>possible.
>>    
>>
>>>But I don't want to bring my box to a crawl to do
>>>      
>>>
>>it.
>>    
>>
>>You should consider getting a secondary MX server. 
>>There will be times 
>>where you just can't avoid having the box be
>>inaccessible.  If you had a 
>>secondary MX this would be a non-issue.
>>
>>    
>>
>I would like to add a secondary MX box. It's on my
>wish list. However, I don't see how that would make it
>a non-issue. If I take one box down, then the second
>one would become the attack target. I'm looking for
>solution to reduce the attacks. The box is a "busy
>box", that is running several services. It runs the
>firewall, webserver, mail server and of course is also
>hosting ssh access. The primary attack is focused on
>the sshd. The system is running stable with one or two
>services apt-pinned to testing and has the latest
>patches. I've analysed the system remotely a little
>and didn't see any indications of the system actually
>getting cracked. I'm primarily looking for techniques
>and suggesstions on ways to further lock out these
>crackers, without bogging down the box. Also on the
>remote checking of the system, what are some favorite
>tools for this?
>
>Thanks,
>Brian
>
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam?  Yahoo! Mail has the best spam protection around 
>http://mail.yahoo.com 
>_______________________________________________
>Kclug mailing list
>Kclug at kclug.org
>http://kclug.org/mailman/listinfo/kclug
>
>  
>
If all they are doing is the usual BS ssh sniffing, run sshd on a 
non-standard port.... I usually run mine on something like 2280, that 
way its easy to remember but wont get scanned since the kiddies dont 
seem to do an actual nmap. From what Ive seen, all they really do is IP 
a netblock range and run a script that looks for a session connection 
and once it finds one, does dictionary scans with common names like 
"test" and then regular names. or another thing you can do, is use 
shared key auth. just an idea.

matt

More information about the Kclug mailing list