Index: [Article Count Order] [Thread]

Date:  Sat, 10 May 2008 16:56:03 -0700
From:  "Ken Marcus - Precision Web Hosting, Inc." <kenmarcus (at mark) precisionweb.net>
Subject:  [coba-e:12794] brute force password guessing
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <178601c8b2f9$69e75bf0$6601a8c0@OfficeKen>
References:  <20080510203922.M90882 (at mark) domain-nameit.net>
X-Mail-Count: 12794



I had an IP guessing pop logins last night.  On the one server that I 
checked, my system blocked them after 4 minutes. That was still enough time 
for 300 attempts.

I did not think they  would be able to find any easy logins with that many 
attempts. But, this morning I checked the logs by grepping for that IP 
address and no indication of failure.

The offending IP was: 82.165.177.156

What I did was:

cd /var/log

#one line below
cat maillog | grep 82.165.177.156 | grep -v "Authentication failure" | 
grep -v Aborted | grep -v "Password mismatch" | grep -v Inactivity | grep -v 
Disconnected | grep -v incorrect

#one line below
gunzip maillog.1.gz



cat maillog.1 | grep 82.165.177.156 | grep -v "Authentication failure" | 
grep -v Aborted | grep -v "Password mismatch" | grep -v Inactivity | grep -v 
Disconnected | grep -v incorrect

gzip maillog.1

gunzip maillog.2.gz

cat maillog.2 | grep 82.165.177.156 | grep -v "Authentication failure" | 
grep -v Aborted | grep -v "Password mismatch" | grep -v Inactivity | grep -v 
Disconnected| grep -v incorrect

gzip maillog.2



What is interesting is that across all my servers, they actually found 7 
logins like user jason with password of jason, or user dennis with password 
of "password". I changed these  logins.

So, they could have spammed through these 7 accounts.

Also, I  have FTP disabled for non-admin users and I have the ~userdir 
functionality disabled. If I had both enabled, then they'd have had 7 ftp 
logins with which to upload spamming / hacking type scripts to my servers.

What I do for FTP is add this to the global section of my proftpd.conf

   <Limit LOGIN>
     DenyAll
     AllowGroup site-adm
     AllowUser someotherusername
     AllowUser admin
   </Limit>



What I do for the userdir functionality is edit each vhost file, eg. 
/etc/httpd/conf/vhosts/site2
from
AliasMatch ^/~([^/]+)(/(.*))? 
/home/.sites/143/site2/users/$1/web/$3
to
AliasMatch ^/~([^/]+)(/(.*))? 
/home/.sites/143/site2/users-invalid/$1/web/$3



Anyone who has a lot of users and who does not make one or both of these 
changes on their servers, is volunteering to be the low hanging fruit.



It will not affect me since I do it automatically already, but  if I could 
make 2 suggestions for future BQ versions:
1. Do not allow the password to be "password" or to be the same as the 
username
2. Have userdirs disabled; make it hard for customers to enable userdirs, 
and harder to enable with php and cgi access for those userdirs.





----

Ken Marcus

Ecommerce Web Hosting by

Precision Web Hosting, Inc.

http://www.precisionweb.net