Hello,

For the last few weeks I have been noticing across a wide range of IP Blocks .. Scanning for the test, and guest account ..

I had no worry as I had already removed these accounts and implented strigent SSH controls ..

Well I know now of one host who got cracked into through the "Guest" account .. Kitted and all

Time to do a lil patching and reading folks ..

The doc is Dynamics Outstanding security doc under system admin docs ..

Lady Linux :)

I've noticed this also, and fortunately BFD (brute force detection) from http://rfxnetworks.com has already blocked some usernames and ip's and notified us.

Btw, there were also some anonymous FTP attempts and what looked like a few manual SSH attempts that BFD didn't catch so some simple things like disallowing anonymous FTP access and moving the SSH port may help some people also.

Greetings:

1. See http://isc.sans.org/diary.php?date=2004-07-28 and http://www.incidents.org/diary.php?date=2004-07-23

2. Our hardening uses real time instrusion detection for FTP et al (we have a custom system; and do not use BFD)

Since we encourage customers to limit SSH by IP; there is little fear of SSH scans.

3. We've seen overall scanning on the increase --> port 22, port 53, etc. Our system includes horizontal scan protection (only works if you have multiple IP's on the box, which most do) so that helps in that regard.

Of note, I've found http://www.dshield.org/survivaltime.php to be an interesting tidbit.

Thank you.

Hello,

Additional thing that kinda came to me ..

Customers like to use the word "test" for accounts .. and then maybe "guest" .. Might be worth keeping those but making them unable to run any shell or anything on all boxes ..

Or give it a honeypot type of approach ..

Just ramblings .. But I see these "test" accounts ... and they do create a UNIX user .. even if its not suppose to really have a shell .. On Freebsd it creates the user with a skel copy over of .profile et all .. Scary ..

Lady Linux