I picked up a link to this article that was posted on Slashdot. It appears that the compromised systems were hacked by either exploiting an exposed user's ssh access (probably a brute force attack that found a weak password) or by finding an unpatched remote admin tool (e.g., roundcube was mentioned in one of the links that came up when I Googled the attack name).
The sad thing is that there are a number of ways to keep brute force attackers at bay for ssh. Fail2ban is probably the most comprehensive and can be used to protect other exposed logins such as web mail. Another alternative is to use the built-in Linux firewall (iptables) to only allow so many connection attempts from a specific IP address before blocking future connections from the offending IP address. I posted an extensive article on my personal blog on how to set up this particular method (and a few other ssh "protection" tricks) if anyone is interested.
Cheers,
Dave
Subscribe to:
Post Comments (Atom)
About Me
- DaveAtFraud
- B.Sc. ('78) and M.Sc. ('80) in Math from Ohio State followed by 12 yrs at TRW and a variety of software development positions since then. Currently living in Colorado and enjoying "trial retirement". For fun I climb mountains in the summer and ski down them in the winter, fix gourmet food and have an excellent wine cellar.
The slashdot article is interesting, but I liked your personal blog better. Very good information
ReplyDelete