[ale] Hack of the month...

James P. Kinney III jkinney at localnetsolutions.com
Wed Dec 14 09:11:06 EST 2005 

On Wed, 2005-12-14 at 08:06 -0500, Christopher Fowler wrote:
> This is an attempt on one of my devices in colo.  At home I would not
> mind so much but this is a corporate site so I need to put a procedure
> in place so our support/admin staff can handle these attempts
> professionally and leagally.  Anyone here have a similar procedure and
> can give me insight?
> 

It depends on what the system is doing that is being attacked. If it is
a financial system that could divulge personal info and cause much grief
(i.e. - lawsuit) then only allow ssh from specific IP addresses AND
require key access AND block password access AND log all other attempts
in iptables AND document the attempts and forward them to the upstream
provider of the would-be cracker.

Due to the native power of a *nix system (as compared to a windblowz) I
consider them to all be pretty much munitions grade hardware and as
such, ANY AND ALL unauthorized access or use is treated as a serious
criminal trespass.

All edge systems need something like Tripwire for integrity checks and
they must be used (i.e. verified against a known good record) daily.

Policy: All attempts to gain access by unauthorized persons should be
reported to the ISP of the unauthorized person with suitable legalize
documentation demanding follow-up communication about what the ISP did
and to whom.
> 
> On Wed, 2005-12-14 at 07:52 -0500, Paul Cartwright wrote:
> > On Wed December 14 2005 7:40 am, Christopher Fowler wrote:
> > > What is the attempt here and how are they attempting?
> > >
> > > Dec 14 02:58:10 209.168.246.231 authpriv.info sshd[194]: Invalid
> > > user testing from 68.120.97.218
> > > Dec 14 02:58:10 209.168.246.231 authpriv.err sshd[194]: error: Could
> > > not get shadow information for NOUSER
> > > Dec 14 02:58:10 209.168.246.231 authpriv.info sshd[194]: Failed
> > > password for invalid user testing from 68.120.97.218 port 59698 ssh2
> > 
> > arin whois: http://ws.arin.net/cgi-bin/whois.pl
> > 
> > shows that as an SBC user, you might want to report your logfile to :
> > 
> > OrgAbuseHandle: ABUSE6-ARIN
> > OrgAbuseName:   Abuse - Southwestern Bell Internet 
> > OrgAbusePhone:  +1-800-648-1626
> > OrgAbuseEmail:  abuse at sbcglobal.net
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
-- 
James P. Kinney III          \Changing the mobile computing world/
CEO & Director of Engineering \          one Linux user         /
Local Net Solutions,LLC        \           at a time.          /
770-493-8244                    \.___________________________./
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part

More information about the Ale mailing list