[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] iptables and hackers

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] iptables and hackers
From: Gibbs <linux@xxxxxxxxxxxxxxx>
Date: Wed, 31 Aug 2011 11:27:32 +0100
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx

On 31/08/11 10:54, Gordon Henderson wrote:

On Wed, 31 Aug 2011, Anthony Williams wrote:

On 30/08/11 21:19, Dave Morgan wrote:

taylorjoshu00@xxxxxxxxxxxxxx wrote:

I'm sure you can set fail2ban to look for errors in the apache log, would that help?

Thanks for the fail2ban stuff folks; my Apache logs have a lot of access attempts on various phpmyadmin URLs, so it's good to be able to filter out those attackers.

One thing to be aware of.. fail2ban is a solution that follows the "closing the door after the horse has bolted" type of scenario. It will not catch the first (and possibly not the 2nd, 3rd, etc. depending on configuration) probe and if that first probe is the one that finds the vulnerability - zero-day exploit - then you've lost and they've gotten in.

It's probably more suited to reducing attacks like password guesses on ssh, telnet, ftp, pop, imap, etc. services than random URL probes at a web server. Even then, if your passwords are secure, all it's saving you is a tiny bit of bandwidth.

So don't use it as an excuse to not keep things patched and up to date. It's just one tool in an overall strategy.

Gordon

Fail2ban is great but yes it doesn't prevent attacks like you said, it just searches logs with a regex and adds rules to iptables if x amount of matches are found for y. It doesn't protect against vulnerabilities but that's not its purpose. Its just a tool to prevent brute forcing. I get at least two-three Chinese hackers banned a day for trying to crack FTP accounts etc.

@somewhere in thread: Changing port numbers doesn't make you more secure but it has had a drastic effect for me, decreasing the amount ten-fold. As someone said that's only due to the script kiddies moving on most likely.

@somewhere else: Disabling root is a must. That's the first thing any attacker will try and get hold of. As for sudo vs su, at the end of the day they are pretty much the same no? I would imagine sudo only being useful when there's a lot of users on a system or server. sudo doesn't protect against "accidental commands", especially if you always use sudo -i like me.

Gibbs

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

Follow-up: Re: [LUG] iptables and hackers
- From: Gordon Henderson

References:
- Re: [LUG] iptables and hackers
  - From: taylorjoshu00
- Re: [LUG] iptables and hackers
  - From: Dave Morgan
- Re: [LUG] iptables and hackers
  - From: Anthony Williams
- Re: [LUG] iptables and hackers
  - From: Gordon Henderson

Prev by Date: Re: [LUG] iptables and hackers
Next by Date: Re: [LUG] iptables and hackers
Previous by thread: Re: [LUG] iptables and hackers
Next by thread: Re: [LUG] iptables and hackers
Index(es):
- Date
- Thread