Cracked

[Chris]

On Mon, 2004-10-18 at 15:20 +0800, John wrote:
> My mail service (which is not the one in my address) was cracked last week.
> 
> I allow logins via ssh (I need access to do remote maintenance).
> 
> One person, possibly as many as three, gained root access to the box 
> with the ever-reliable dictionary attack.

How did you figure out that is was a dictionary attack?  Lots of login
attempts in the log?  This seems like it would be a slow attack to do
over the network, no?

> One of the other possible countermeasures is to detect dictionary 
> attacks and stop them cold.

Have you looked at the pam_tally module for PAM?

For desktop machines I see no reason why Ubuntu couldn't take the
Windows XP SP2 approach.  That is, iptables are turned on with the
default set to DENY and allowing outbound by the stateful settings.
Then the user could open the ssh port if they really want to.

If pam_tally or something like that was also installed then it could do
like you suggest and block the remove host with firewall settings or it
could just disable the account completely.  I wonder if it would be
possible to just disable the account for remote access but still allow
console login.

-- 
// Chris