102.

By Timothy R Butler | Posted at 4:40 AM

That's the number of brute force attempts on Cedar since November. It is depressing to think that so many people have tried enough to set the alarm off. There are, of course, many more that tried only a few times. Like e-mail spam and blog spam, all of this seems to be done by bots; if the number of bots continues to increase at its alarming rate, it seems inevitable that the house of cards will fall… it is just a matter of when.

Tags: Comp/Tech
Also Filed Under: Home: Computers and Technology: 102.

Re: 102.
Yep. I see a lot of crazy stuff on my FreeBSD firewall logs. There are some which clearly reflect bots or zombies, because I get the same IP every second or two, usually hitting the same few ports. Right now the number one target is port 445. I suppose the major advantage to BSD, and Linux of course, is the lack of paranoia about the firewall and virus attacks. Under Windows, I always sweat that because I can't afford a hardware firewall, and software firewalls are far from impervious.
Posted by Ed Hurst - Feb 27, 2005 | 4:41 AM

Re: 102.
I'm still nervous, simply because I figure a determined hacker *will* find a way eventually, but I agree. Do you use some kind of Brute Force blocking mechanism or just let them fire away?
Posted by Timothy R. Butler - Feb 27, 2005 | 8:10 PM

Re: 102.
A proper kernel-based firewall simply ignores the packets -- they are routed to /dev/null. For attacks to have any effect, they have to be processed through the kernel, and it knows to ignore them. My filtering rules are provided by someone who understands this stuff better than I, but it includes stateful packet inspection, etc. So I just let them packet away at me. Nothing I can do anyway. My system ignores it as it does all the other packets routed to some other IP. Linux firewalls are supposed to work that way, too.
Posted by Ed Hurst - Feb 28, 2005 | 2:44 AM

Re: 102.
Oops, forget to check the context of your question. In Windows, there's nothing I can do there either. Software firewalls process the packets for the kernel, and can be made to fail, as has happened in the past. My previous comment was for FreeBSD.
Posted by Ed Hurst - Feb 28, 2005 | 2:46 AM

Re: 102.
Make sense. How does that help with valid packets, though? For example, the aforementioned brute force attempts are valid attempts to login to SSH... they are merely trying random username/password combinations to do so.
Posted by Timothy R. Butler - Feb 28, 2005 | 5:57 AM

Re: 102.
On a desktop FreeBSD system, I have the luxury of turning off SSH. The one and only user has full access to the hardware at all times, and the install CD for FreeBSD includes boot-n-fix tools. On Windows, only NT-based versions offer SSH login, I believe. WinMe and earlier was only superficially multi-user, and just getting a response via connection was all it ever took. I'm guessing our only hope is to maintain the policy of very difficult-to-guess passwords. You'll recall mine is pretty obscure, and subject to change soon. As long as there are no accounts with weak passwords, only an application vulnerability will allow them access. Kernel-based firewalls are the champ there. You can make DENY the default, and prevent vulnerable apps from responding. Though I understand the theory, I have insufficient knowledge of traffic realities (what to block, how and why) to understand writing firewall rules. I find firewall instructions just too obscure for my artsy brain.
Posted by Ed Hurst - Feb 28, 2005 | 3:50 PM

Please enter your comment entry below. Press 'Preview' to see how it will look.

Sign In to Your Account
:mrgreen: :neutral: :twisted: :arrow: :shock: :smile: :???: :cool: :evil: :grin: :idea: :oops: :razz: :roll: :wink: :cry: :eek: :lol: :mad: :sad: :!: :?: