How are people handling network attacks?

[jkinz at kinz.org (Jeff Kinz)]

On Sat, Feb 26, 2005 at 01:29:53PM -0500, steve at horne.homelinux.net wrote:
> I have a cable modem connected to a "firewall"  -- slackware based,
> 2.4.22, iptables.  Recently I've seen an increase in the number of dictionary-based
> attacks. Log fills up with stuff like this:
> Feb 25 20:01:56 horne sshd[2407]: Failed password for root from 61.177.137.170 port 58956 ssh2
> ..........
> Do I have any other options?  Can Comcast block them upstream?

Yes they can, they won't.  
These things have to hit a certain minimum economic/security impact before
an ISP becomes concerned about it.  Same w/FBI

> Do ISPs, in general, care about this sort of thing?

Not enough to do anything about it (mostly).


> Do I have any other options?  

#1 - make sure none of your systems allow root logins.
     use sudo or, if you must , use "su -" to promote yourself to root
     when needed.

#2 - modify iptables to allow inbound ssh connections only from known
     IP addresses.

#3 - If you need to allow inbound ssh from "not yet known" IP addresses 
     Create a private "port knocking scheme" to dynamically add allowed
     IP addresses to your iptables condiguration and drop those IP
     addresses from iptables as soon as the ssh connection is closed.

Note - in general port knocking is considered to be a poor security
practice.  It relies on security by obscurity.  Turn it off whenever you 
don't absolutely need it.


#4 - Get a "SecurID" token card and software and use them to enable
     and authorize remote access to your system.  This is one of the
     ways to control remote access (single use randomly generated
     authorization strings).  But... this solution costs money.


-- 
Jeff Kinz, Emergent Research, Hudson, MA.