Are you a Google Analytics enthusiast?
More SEO Content
Hacker Activity Up
Posted 14 April 2010 - 10:57 AM
The Internet Storm Center is still reporting a Green threat level this morning, but I've noticed a higher than normal level of root login attempts so far today. On my servers the attempts started earlier this morning around 7:20am EDT, and are still in process. And it's coming from previously hacked PC's and servers worldwide.
To give you an idea of the difference in scale, typically by this point in the day I've seen 1 or 2 root hack attempts. As of a couple of minutes ago when I last checked my servers have blocked the IPs of on average 20 or so failed root logon attempts.
Something's in the wind, not sure what it is yet though. So be vigilant!
Posted 14 April 2010 - 05:45 PM
Posted 15 April 2010 - 07:52 AM
Posted 15 April 2010 - 11:47 AM
I think I've mentioned it around here before, but I use a combination of CSF and LFD on my servers. Part of the reason I do this is that it actively looks at the MD5 Sums on files that actually run the server, and sends me a notice (daily as it's normally configured) to let me know if a file has been changed. This indicates a possible hack if I haven't updated/upgraded myself, of course. And on the firewall side of things, it actively monitors things like SSH and even FTP connections. You can configure it to automatically create a Deny rule in the firewall if there are X number of failed login attempts in Y minutes. So your server doesn't set there continuing to get hammered by the hackers using brute force dictionary attempts. And it watches for port scans too.
In my mind this is much preferable to letting them set there for 30 minutes or hours hammering away with hundreds or thousands of login attempts. And if I do something stupid like typing in the wrong password on the wrong server a couple of times, I just take a 10 minute break after the first couple to make sure I don't end up blocking myself.
For my servers csf/lfd os configured to be 5 failures within 5 minutes for SSH, or 10 failures in 5 minutes for FTP. Those are the default settings I believe, so nothing special on my part. Basically if someone comes by and tries to break in via either route, and they're doing it via software that just throws everything and the kitchen sink trying to find a hole, they get silently blocked in my firewall rules. Usually within seconds. And it then sends me an email to let me know what's happened.
Because I've got a pretty decent system already in place, the only change I made was to have the MD5Sum check happen more often. Just to get an earlier heads up in case someone did get in. Nobody has, knock on wood.
If you want to see what's been happening on the attempted logins side of things you can manually review the file at /var/log/secure. Or if your server is set up to gzip and rotate logs daily like mine is, you may have to gunzip and nano -w into secure.1.gz to see yesterday's activity. That should show you both SSH and FTP login attempts. Both successful and unsuccessful.
If you want to watch it actively to apply firewall blocks like my software does automatically, you can ssh in as root or admin and tail -f /var/log/secure to see what's happening in real time.
As for this latest one, it appears as if it may have been a one day event. I noticed it slowing down a bit yesterday evening and I haven't had a single break in attempt since around 2am this morning. Got a ton of them yesterday, especially during the morning and early afternoon. I haven't crunched the numbers yet, but it looks to be somewhere around 100 or so individual hack/login attempts for each server. Normally that's just a handful per day, to give you an idea of the change.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users