Comments on: Gettin’ hacked http://www.guru.net.nz/blog/2008/09/gettin-hacked.html Random stuff from a Dunedin (NZ) based web developer, beer drinker and dad Mon, 30 Aug 2010 22:42:20 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: oz http://www.guru.net.nz/blog/2008/09/gettin-hacked.html#comment-489 oz Fri, 09 Jan 2009 11:32:46 +0000 http://www.guru.net.nz/newblog/?p=187#comment-489 fail2ban worked good as gold for me, but yeah you need iptables/ipchains running blocks malformed apache attacks too fail2ban worked good as gold for me, but yeah you need iptables/ipchains running
blocks malformed apache attacks too

]]> By: Nathan http://www.guru.net.nz/blog/2008/09/gettin-hacked.html#comment-305 Nathan Thu, 02 Oct 2008 01:21:00 +0000 http://www.guru.net.nz/newblog/?p=187#comment-305 In regards to the SSH attempts, you could always try running the SSH daemon on a custom port.<br/><br/>I used to have heaps of login attempts, and changing the port to something else has eliminated these completely. In regards to the SSH attempts, you could always try running the SSH daemon on a custom port.

I used to have heaps of login attempts, and changing the port to something else has eliminated these completely.

]]> By: Guru http://www.guru.net.nz/blog/2008/09/gettin-hacked.html#comment-304 Guru Sat, 27 Sep 2008 12:24:00 +0000 http://www.guru.net.nz/newblog/?p=187#comment-304 I think I've found and fixed the problem. The SSH hacking was coincidental and resulted in me finding out a bit more about fail2ban (will have to run ipchains alongside it I think - not currently doing that).<br/><br/>The bandwidth was eaten up because someone sent me a 16MB email, and my custom delivery solution (home made, probably already exists as part of exim) was choking because the PHP CLI was configured to allow a maximum script size of 32MB. I bumped it up to 64MB and the email came through. I guess my script is holding a copy of the whole message in memory or something (it does some mail header parsing).<br/><br/>So, it had been trying to download it pretty much constantly for the last three days and failing, then trying again. The bugger about this is that as far as my ISP is concerned this will be chargable bandwidth $#*#@!<br/><br/>Who sends images as BMP's anyway?!<br/><br/>Will keep an eye on it but I think it's fixed. I think I’ve found and fixed the problem. The SSH hacking was coincidental and resulted in me finding out a bit more about fail2ban (will have to run ipchains alongside it I think – not currently doing that).

The bandwidth was eaten up because someone sent me a 16MB email, and my custom delivery solution (home made, probably already exists as part of exim) was choking because the PHP CLI was configured to allow a maximum script size of 32MB. I bumped it up to 64MB and the email came through. I guess my script is holding a copy of the whole message in memory or something (it does some mail header parsing).

So, it had been trying to download it pretty much constantly for the last three days and failing, then trying again. The bugger about this is that as far as my ISP is concerned this will be chargable bandwidth $#*#@!

Who sends images as BMP’s anyway?!

Will keep an eye on it but I think it’s fixed.

]]> By: Guru http://www.guru.net.nz/blog/2008/09/gettin-hacked.html#comment-303 Guru Sat, 27 Sep 2008 06:38:00 +0000 http://www.guru.net.nz/newblog/?p=187#comment-303 I'm suspecting something else as well - you're right, SSH shouldn't use that much, unless there's some kind of weird attack under way that isn't resulting in actual SSH failed login attempts.<br/><br/>I've hopefully got a quiet evening at home alone tonight (baby sleep willing) so will have to look closer. Have had another gig eaten up since lunchtime (~6 hours).<br/><br/>Will have to look at some kind of application bandwidth reporting as well for future interest. Would have been nice to get on top of this sooner. I’m suspecting something else as well – you’re right, SSH shouldn’t use that much, unless there’s some kind of weird attack under way that isn’t resulting in actual SSH failed login attempts.

I’ve hopefully got a quiet evening at home alone tonight (baby sleep willing) so will have to look closer. Have had another gig eaten up since lunchtime (~6 hours).

Will have to look at some kind of application bandwidth reporting as well for future interest. Would have been nice to get on top of this sooner.

]]> By: Scott http://www.guru.net.nz/blog/2008/09/gettin-hacked.html#comment-302 Scott Sat, 27 Sep 2008 03:01:00 +0000 http://www.guru.net.nz/newblog/?p=187#comment-302 I thought by default fail2ban would ban after 4 failed attempts for 10 minutes. You could try setting some iptable rules yourself. Seems crazy that ssh login attempts used that much bandwidth. I thought by default fail2ban would ban after 4 failed attempts for 10 minutes. You could try setting some iptable rules yourself. Seems crazy that ssh login attempts used that much bandwidth.

]]>