LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices



Reply
 
Search this Thread
Old 05-04-2013, 10:23 AM   #16
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,688
Blog Entries: 54

Rep: Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955

Quote:
Originally Posted by tronayne View Post
the lion's share originates in China.
Anyone who's followed stats over the last couple of years knows China, the US and Russia rotate in the most malicious activity top five. Plus a scan originating from China doesn't automagically mean it's the chinese, anyone could be using those machines.


Quote:
Originally Posted by tronayne View Post
Script kiddies and port scanners are one thing, state-sponsored attacks are quite another. Do countries spy on one another? Of course they do and have done so for thousands of years in one form or another. It seem, though, that China has taken it to a new level.
That's only what's been discovered and cleared for publication. And the recent spate of APTs weren't exactly all chinese efforts, right?..
 
Old 05-04-2013, 10:36 AM   #17
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,688
Blog Entries: 54

Rep: Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955
Quote:
Originally Posted by chemfire View Post
Personally I don't see the need for fail2ban in this situation. Its one more package he has to install
True, but since the slackware installation instructions tell you to install "everything unless you know what you're doing" that's somewhat debatable I think ;-p Anyway, if you run Python already the package itself doesn't take up much space.


Quote:
Originally Posted by chemfire View Post
and one more thing that has to be memory resident.
Long time since I read that phrase and argument. Do you actually know how much memory Python would need for running fail2ban or if the OP has very limited RAM?


Quote:
Originally Posted by chemfire View Post
(they just give up and move on when they start seeing the port as closed after 5 hits)
I've seen single hosts scan for hours on end at n connections per second.
 
Old 05-04-2013, 11:02 AM   #18
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,119

Rep: Reputation: 818Reputation: 818Reputation: 818Reputation: 818Reputation: 818Reputation: 818Reputation: 818
Quote:
Originally Posted by unSpawn View Post
That's only what's been discovered and cleared for publication. And the recent spate of APTs weren't exactly all chinese efforts, right?..
Advanced persistent threat (APT) network attack have, indeed, been rising -- and originating from all over the place -- so, no, probably not all of Chinese origin. However, the evidence seems to indicate the majority originating are in China.

Keep in mind that there a 12-story building on the outskirts of Shanghai that is the headquarters of Unit 61398 of the People’s Liberation Army.

Quoting from The New York Times, "Chinese Army Unit Is Seen as Tied to Hacking Against U.S." 19 Feb 2013 article (see http://www.nytimes.com/2013/02/19/te...anted=all&_r=0):
Quote:
The building off Datong Road, surrounded by restaurants, massage parlors and a wine importer, is the headquarters of P.L.A. Unit 61398. A growing body of digital forensic evidence — confirmed by American intelligence officials who say they have tapped into the activity of the army unit for years — leaves little doubt that an overwhelming percentage of the attacks on American corporations, organizations and government agencies originate in and around the white tower.
And, of course, not just the U.S. is being targeted -- so's everybody else with anything worth knowing.

Is the article worth reading? Is The New York Times to be believed? Is China (as in state-sponsored) doing this?

I think ignoring or pooh-poohing is at your peril. You can, of course, decide for yourself.
 
Old 05-04-2013, 12:42 PM   #19
chemfire
Member
 
Registered: Sep 2012
Posts: 81

Rep: Reputation: Disabled
unSpawn,

I'll agree that the system requirements of fail2ban are not something to be concerned with; although if you are running on a purpose built firewall type appliance box with only a couple hundred megs of ram it might matter. There are still human maintenance issue though, you have an application that does not ship with the platform so will need to be considered at each upgrade; and kept current itself and ban lists to manage. Not munch effort but certainly more than the iptables xt-recent solution which is pretty much shove in rc.firewall and forget about it.

As to the APT issue that is clearly not his problem. No APT would have thrown the dictionary at sshd like that unless they already knew the target did not review logs and has not SEIM or automatic log analysis in place. While I have seen those guys do slow scans are part of recon etc; and they might even try the obious root/toor admin/p@$$w0rd type things on an application once that does not work they are not going to try and run a dictionary attack for months at an average rate of 1 attempt every 60 seconds. They have better things to do.

They are going to A) spear phish you and get you do something that will let them back in; java applet reverse shell on a cloned website for example. B) identify something like sshd you are running; find or develop an exploit for it offline and than crack it in one attempt against you. Fail2ban and firewalling won't help you there. Good inline IPS might but most likely not. Which gets you back to the oldest solutions. Make sure everything you have is patched and minimize the attack surface don't run anything you don't need.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
POP3 brute force attack help glyn3332 Linux - Security 2 10-13-2008 06:12 AM
brute-force-ssh-attack saavik Linux - Security 6 09-05-2008 02:01 AM
Protect server from brute force attack via ssh babysparrow Linux - Security 6 03-31-2006 10:00 PM
Brute-force attack - How can I assess the damage? thew00t Linux - Security 4 09-27-2005 07:08 PM
How did the NASA get hacked, was it just a brute force attack? abefroman Linux - Security 2 05-18-2005 06:33 AM


All times are GMT -5. The time now is 04:00 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration