Rich Freeman on 12 Jun 2017 09:29:51 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] PI being targeted for malware


On Mon, Jun 12, 2017 at 9:06 AM, JP Vossen <jp@jpsdomain.org> wrote:
>
> And there is a bot running that's trying to guess passwords for all kinds of
> accounts.  In the last 2-3 days I've seen many attempts on my non-standard
> SSH port...

Interesting that they're scanning non-standard ports, though I guess
they can do that just once and then keep coming back.

I suspect that 90% of my logs these days are ssh brute force attempts,
though I haven't looked at them lately.  I set up ssh to require a
TOTP for logins using a password (no indication of reason for failure
if either password or TOTP fails), so I don't bother to try to block
these hosts.  The only downside is that some ssh clients don't work
with it, though most terminal-based ones do.  The ones that tend to
not work are things like scp implementations.  I don't require TOTP
when a key is used, it gives me the ability to still login using
passwords when I'm not on a normally-used device while still being
pretty secure from keylogging/etc.

For those interested:
https://github.com/google/google-authenticator-libpam

(I really should do a lightning talk on this sometime.   I imagine
most distros have it packaged.)

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug