Marcus Meissner wrote:
<snip>
OK, I'll bite...what worm and what can I do about it? ....and where is it coming from....from one of my systems (all Linux) or one of the destination IP's.... What defenses will work?
Well, it tries to break into your system, but is very likely not in any of your machines if you only see external ips.
So far, only external IP's, so that is good.
Since it / they have infected thousands of machines in the internet already you will see their scans from there.
So the trick is to recognize the attacks and *temporarily* ban that IP address from further access. Then, after the attack, to reinstate the IP. This is what I *thought* that the entry in IPTABLES was going to do, but obviously, it doesn't in my case. However, others have suggested it should work, so I figure something is still left undone in my configuration, which is what prompted my rather long original post, which I would be happy to send as a file to anyone that requests it via E-Mail rather than tying up this forum additionally.
Good passwords, having SSH on a different port, or even disabling ssh from the outside are good help.
I believe the reason I have not been compromised, only 'annoyed', so far, is because I do have good account AND password schemes in effect, but the best practice is to prevent the person with the axe from using in against the door in the first place, no matter if the door is made of iron or balsa wood, don't you think? Now, previously, I have stated it is impractical for me to change to a non-standard ssh port due to the number of outside systems I support that are NOT part of my network. I am a consultant (not for Linux security, unfortunately) and while I am trying desperately to educate the 'unwashed masses' to vacate Windoze, many do still use that so-called OS and some even may be infected with all kinds of evil virus and wormy critters that my systems so far have resisted. Previously, I tried 'fail2ban' and while it ran, it failed to detect any attacks. I thought I had correctly installed it, but obviously I had not and disabled it when I "discovered" the 'recent' feature of iptables, pointed out to me by several members of this forum. IPTABLES appears to support this feature, it shows up in the iptables -L printout but Wireshark shows it is not being effective against whatever is attacking. Thus, I probably will need to re-try fail2ban unless you or others have additional thoughts on the IPTABLES solution, which would be my first choice, if it could be made to work. Thanks Richard
Ciao, Marcus
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org