-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Brian Kelsay Sent: Thursday, October 21, 2004 10:58 AM To: [email protected] Subject: Re: It was bound to happen - suspected hack
Block the IPs of the attackers specifically in your iptables rules. Make sure the users that they attempted to log on w/ are disabled, password changed or non-real users. Change root password. It looks like you are already working to allow only your IP to ssh, that's good. Check the other boxes and see if they have been compromised. You should also contact the ISP they are coming from and inform them of the break-in if they did in fact get in to your server.
This is where a separate logging firewall w/ snort would help you. You could see how many and what kind of attack attempts were made before they got in.
Amen to that. And if you wind up in court, it's pretty handy for an expert witness to be able to point to the actual packets themselves. I log, and archive the entire data stream in/out of my network for this, and other purposes.
My primary purpose is to be able to replay data for analysis. This could be to facilitate troubleshooting, but that's rare. More often than not, I want to "see what really happened" on the wire. The second good reason for this (Nimda/Code Red started me down this road) is the ability to replay the network stream through an alternate Snort configuration, with new signatures in place. This way, when a zero-day monster occurs, I can go back as far as I like to look for the attack once I have a good signature in place.
Dustin