Re: some attack to fedora machine .

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



la, 2008-04-12 kello 08:16 +1000, Da Rock kirjoitti:
> On Fri, 2008-04-11 at 17:57 +0300, Antti J. Huhtala wrote:
> > 
> > Your tip about not allowing username/password combinations is a good
> > one. Any examples of an implementation of eg. key pairs?
> 
> Yes, that would be good to see. 
Mikkel already answered this one in another post.
> May I also ask if any of you guys having
> these attacks are behind a firewall and/or NAT? 
At present, no separate router or other firewall, just the one Fedora 8
provides. I've only briefly tried NAT in my LAN but not long enough to
observe whether invasion attempts were extended to the LAN.
> I use ssh but so far I
> don't believe I've had any trouble- I'd like to be a little better
> informed on this though: ie symptoms etc.
> 
The problem with describing the various symptoms an intrusion may cause
is that it is difficult to avoid getting a little paranoid watching eg.
unexpected and rather frequent hard disk activity. That's why I had to
remove beagled from my F7 installation. The hard disk light was on all
the time - or so it seemed.
There are plenty of knowledgeable people on this list who could tell you
much more than I can. Anyway, I monitor my system for intrusion attacks
by having the Network Monitor (or whatever the English term is) icon
permanently on my lower panel. Another icon I have there is the System
Status (or whatever..). If either of these shows high activity that I
have not caused myself, I look at top in terminal window to see what's
going on. Usually it is yum-updatesd or makewhatis - sort of household
chores.
It may be worthwhile to occasionally click on Network Monitor icon to
see how many packages have gone in and out the Internet interface. If I
haven't updated or downloaded anything, the input/output ratio is
usually well over 100:1. Most of this traffic is ARP broadcast packets -
but of course the 10-minute-interval e-mail traffic is there also. Some
of it is rejections from my box to whoever is trying to connect, ie,
rejections of potential intruders.
As I said before, an almost sure sign of a compromised box is that
logwatch messages suddenly stop coming. Then it is time to run Wireshark
for some length of time to see what is going *out* of your box. 'Whois'
is another friend you probably need then.

Sorry, work commitments won't allow further comments this weekend.

HTH, Antti


-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux