How to make sure /etc/passwd is not compromised

Support for security such as Firewalls and securing linux
BShT
Posts: 584
Joined: 2019/10/09 12:31:40

Re: How to make sure /etc/passwd is not compromised

Post by BShT » 2020/10/14 13:14:47

under normal operation you will see no impact

but if you are suffering a 10K IPs brute force attack you will

if you deny password login, don´t let brute force scale, cut it at first try or you will be DDoSed

amd
Posts: 10
Joined: 2020/09/28 19:21:29

Re: How to make sure /etc/passwd is not compromised

Post by amd » 2020/10/14 19:31:44

Here's the first rows of lastb ran just now
test ssh:notty 195.54.160.180 Wed Oct 14 21:10 - 21:10 (00:00)
rolf ssh:notty 51.178.86.97 Wed Oct 14 21:05 - 21:05 (00:00)
suporte ssh:notty 51.158.79.157 Wed Oct 14 20:08 - 20:08 (00:00)
ec2 ssh:notty 218.92.40.162 Wed Oct 14 20:02 - 20:02 (00:00)
ftpuser ssh:notty 218.92.40.162 Wed Oct 14 20:01 - 20:01 (00:00)
lemwal ssh:notty 111.230.248.93 Wed Oct 14 20:00 - 20:00 (00:00)
user ssh:notty 218.92.40.162 Wed Oct 14 20:00 - 20:00 (00:00)
postgres ssh:notty 218.92.40.162 Wed Oct 14 19:59 - 19:59 (00:00)
postgres ssh:notty 218.92.40.162 Wed Oct 14 19:58 - 19:58 (00:00)
test ssh:notty 218.92.40.162 Wed Oct 14 19:56 - 19:56 (00:00)
test ssh:notty 218.92.40.162 Wed Oct 14 19:54 - 19:54 (00:00)
noc ssh:notty 218.92.40.162 Wed Oct 14 19:53 - 19:53 (00:00)
techuser ssh:notty 218.92.40.162 Wed Oct 14 19:51 - 19:51 (00:00)
admin ssh:notty 218.92.40.162 Wed Oct 14 19:50 - 19:50 (00:00)
test ssh:notty 218.92.40.162 Wed Oct 14 19:49 - 19:49 (00:00)
macintos ssh:notty 218.92.40.162 Wed Oct 14 19:48 - 19:48 (00:00)
student ssh:notty 218.92.40.162 Wed Oct 14 19:47 - 19:47 (00:00)
admin ssh:notty 218.92.40.162 Wed Oct 14 19:45 - 19:45 (00:00)
admin ssh:notty 218.92.40.162 Wed Oct 14 19:44 - 19:44 (00:00)
testftp ssh:notty 218.92.40.162 Wed Oct 14 19:43 - 19:43 (00:00)
suva ssh:notty 128.1.133.165 Wed Oct 14 19:43 - 19:43 (00:00)
vncuser ssh:notty 218.92.40.162 Wed Oct 14 19:42 - 19:42 (00:00)
clint ssh:notty 103.45.130.164 Wed Oct 14 19:42 - 19:42 (00:00)
math ssh:notty 218.92.40.162 Wed Oct 14 19:41 - 19:41 (00:00)
install ssh:notty 183.234.184.4 Wed Oct 14 19:39 - 19:39 (00:00)
jan ssh:notty 51.75.123.107 Wed Oct 14 19:33 - 19:33 (00:00)
bot ssh:notty 120.211.61.239 Wed Oct 14 19:30 - 19:30 (00:00)
bart ssh:notty 180.76.167.78 Wed Oct 14 19:30 - 19:30 (00:00)
matumoto ssh:notty 119.29.183.138 Wed Oct 14 19:29 - 19:29 (00:00)
service ssh:notty 117.50.20.76 Wed Oct 14 19:26 - 19:26 (00:00)
haxor ssh:notty 49.232.54.96 Wed Oct 14 18:47 - 18:47 (00:00)
godunov ssh:notty 43.251.158.125 Wed Oct 14 18:44 - 18:44 (00:00)
pi ssh:notty 71.36.98.73 Wed Oct 14 18:22 - 18:22 (00:00)
pi ssh:notty 71.36.98.73 Wed Oct 14 18:22 - 18:22 (00:00)
db2inst1 ssh:notty 193.228.91.123 Wed Oct 14 18:00 - 18:00 (00:00)
weblogic ssh:notty 193.228.91.123 Wed Oct 14 18:00 - 18:00 (00:00)
www ssh:notty 193.228.91.123 Wed Oct 14 18:00 - 18:00 (00:00)
student ssh:notty 193.228.91.123 Wed Oct 14 17:59 - 17:59 (00:00)
the time spacing between login attempts does not look super aggressive, although it is consistent.

Fair enough I'll go ahead and give fail2ban a shot this weekend and see what difference it makes. Thank you!

Post Reply