[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
- <!--x-content-type: text/plain -->
- <!--x-date: Wed, 14 Dec 2005 17:38:54 -0500 -->
- <!--x-from-r13: nqeva ng oryyfbhgu.arg (V. O. Egbel) -->
- <!--x-message-id: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-subject: [ale] Hack of the month... -->
- <li><em>date</em>: Wed, 14 Dec 2005 17:38:54 -0500</li>
- <li><em>from</em>: adrin at bellsouth.net (H. A. Story)</li>
- <li><em>in-reply-to</em>: <<a href="msg00179.html">[email protected]</a>></li>
- <li><em>references</em>: <<a href="msg00170.html">[email protected]</a>> <<a href="msg00174.html">[email protected]</a>> <<a href="msg00175.html">[email protected]</a>> <<a href="msg00179.html">[email protected]</a>></li>
- <li><em>subject</em>: [ale] Hack of the month...</li>
James P. Kinney III wrote:
>On Wed, 2005-12-14 at 08:06 -0500, Christopher Fowler wrote:
>
>
>>This is an attempt on one of my devices in colo. At home I would not
>>mind so much but this is a corporate site so I need to put a procedure
>>in place so our support/admin staff can handle these attempts
>>professionally and leagally. Anyone here have a similar procedure and
>>can give me insight?
>>
>>
>>
>
>It depends on what the system is doing that is being attacked. If it is
>a financial system that could divulge personal info and cause much grief
>(i.e. - lawsuit) then only allow ssh from specific IP addresses AND
>require key access AND block password access AND log all other attempts
>in iptables AND document the attempts and forward them to the upstream
>provider of the would-be cracker.
>
>Due to the native power of a *nix system (as compared to a windblowz) I
>consider them to all be pretty much munitions grade hardware and as
>such, ANY AND ALL unauthorized access or use is treated as a serious
>criminal trespass.
>
>All edge systems need something like Tripwire for integrity checks and
>they must be used (i.e. verified against a known good record) daily.
>
>Policy: All attempts to gain access by unauthorized persons should be
>reported to the ISP of the unauthorized person with suitable legalize
>documentation demanding follow-up communication about what the ISP did
>and to whom.
>
>
>>On Wed, 2005-12-14 at 07:52 -0500, Paul Cartwright wrote:
>>
>>
>>>On Wed December 14 2005 7:40 am, Christopher Fowler wrote:
>>>
>>>
>>>>What is the attempt here and how are they attempting?
>>>>
>>>>Dec 14 02:58:10 209.168.246.231 authpriv.info sshd[194]: Invalid
>>>>user testing from 68.120.97.218
>>>>Dec 14 02:58:10 209.168.246.231 authpriv.err sshd[194]: error: Could
>>>>not get shadow information for NOUSER
>>>>Dec 14 02:58:10 209.168.246.231 authpriv.info sshd[194]: Failed
>>>>password for invalid user testing from 68.120.97.218 port 59698 ssh2
>>>>
>>>>
>>>arin whois: <a rel="nofollow" href="http://ws.arin.net/cgi-bin/whois.pl";>http://ws.arin.net/cgi-bin/whois.pl</a>
>>>
>>>shows that as an SBC user, you might want to report your logfile to :
>>>
>>>OrgAbuseHandle: ABUSE6-ARIN
>>>OrgAbuseName: Abuse - Southwestern Bell Internet
>>>OrgAbusePhone: +1-800-648-1626
>>>OrgAbuseEmail: abuse at sbcglobal.net
>>>
>>>
>>_______________________________________________
>>Ale mailing list
>>Ale at ale.org
>><a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
>>
>>
>>------------------------------------------------------------------------
>>
>>_______________________________________________
>>Ale mailing list
>>Ale at ale.org
>><a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
>>
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00170" href="msg00170.html">[ale] Hack of the month...</a></strong>
<ul><li><em>From:</em> cfowler at outpostsentinel.com (Christopher Fowler)</li></ul></li>
<li><strong><a name="00174" href="msg00174.html">[ale] Hack of the month...</a></strong>
<ul><li><em>From:</em> paul_tbot at pcartwright.com (Paul Cartwright)</li></ul></li>
<li><strong><a name="00175" href="msg00175.html">[ale] Hack of the month...</a></strong>
<ul><li><em>From:</em> cfowler at outpostsentinel.com (Christopher Fowler)</li></ul></li>
<li><strong><a name="00179" href="msg00179.html">[ale] Hack of the month...</a></strong>
<ul><li><em>From:</em> jkinney at localnetsolutions.com (James P. Kinney III)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00188.html">[ale] Recoding in Linux</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00190.html">[ale] Hack of the month...</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00179.html">[ale] Hack of the month...</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00178.html">[ale] Hack of the month...</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00189"><strong>Date</strong></a></li>
<li><a href="threads.html#00189"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>