Bogus "account hacked" message
Grant Taylor
cctalk at gtaylor.tnetconsulting.net
Tue Jan 8 21:42:28 CST 2019
On 1/8/19 7:56 PM, Jon Elson via cctalk wrote:
> Interesting observation I made a few years ago. I run a web store, and
> was being inundated with ssh login attempts. About 1000/day! I decided
> this was serious, they'd eventually get lucky.
It's really hard for them to get lucky if you don't allow password based
authentication. ;-)
It's also even harder for them to get lucky if you move your SSH daemon
to an alternate port and / or put it behind port knocking / single
packet authorization. }:-)
> So, searching available software, I found denyhosts. It checks the logs
> for login failures, and after a set threshold, it puts the source IP
> into the hosts.deny list, and your machine effectively disappears from
> that source IP's view.
Yes and no. DenyHosts is a useful tool. But hosts.deny / hosts.allow
is TCP Wrappers. Your services needs to both support and be configured
to use TCP Wrappers. Not everything is compiled with support for, or
configured to use, TCP Wrappers.
I personally prefer to add reject route and enable reverse path
filtering. That operates at a lower level and protects EVERYTHING on
the system without requiring any feature, like TCP Wrappers.
> I set the rules very strictly, so that after 3 login failures over a 2
> month span, that IP was blocked for a year. Something very interesting
> happened.
I think that your rule logic could just as easily be applied to reject
routes.
> The number of attempts did not diminish immediately, as the botnets had
> a large number of compromised machines. But, suddenly, two weeks to the
> EXACT HOUR when I set up denyhosts, the attacks dropped from 1000/day to
> 3! Just like flipping a switch!
Intriguing.
> So, these hackers have a dark net list somewhere where they trade IP
> addresses of machines they would like to hack, and what they can figure
> out about the security measures implemented on them. When they have
> demonstrated by coordinated attempts that your lockout horizon is over
> two weeks, they put out the word that your site is not going to bear
> any fruit.
Yep. Black hats communicate with each other just like white hats do.
Of course, it could have been one bot-net & bot-herder too. I've heard
tell of bots that 300,000 bots.
> I currently have 9000-some blocked IPs in hosts.deny, I wonder how much
> that slows down my store.
I doubt much at all.
(Assuming that your web server supports and is using TCP Wrappers.)
> Ugh, the stuff we are forced to go through.
Yep. Oy Vey comes to mind.
--
Grant. . . .
unix || die
More information about the cctalk
mailing list