CyberSec.eu

Tartu, Estonia is the hometown of an Internet company that, from the outside, looks just like any other legitimate Internet service provider (ISP). On its website (see Figure 1), the company lists services such as hosting and advertising. According to publicly available information, it posted more than US$5 million in revenue and had more than 50 employees in 2007.

In reality, however, this company has been serving as the operational headquarters of a large cybercrime network since 2005. From its office in Tartu, employees administer sites that host codec Trojans and command and control (C&C) servers that steer armies of infected computers. The criminal outfit uses a lot of daughter companies that operate in Europe and in the United States. These daughter companies’ names quickly get the heat when they become involved in Internet abuse and other cybercrimes. They disappear after getting bad publicity or when upstream providers terminate their contracts.

Using just open source tools and a few tweaks, it is possible to detect and block suspicious login attempts.

Many people who run servers with SSH access and password authentication get butterflies when it comes to security. If a glance at the server logs shows high volumes of failed logins by automated scripts, it’s natural to wonder whether a carefully selected password is going to be adequate to fend off future brute force attacks. Recent attacks on a number of security sites illustrate that the people who run them don’t always take their own advice.

Simple measures can repel repeated cracking attempts. There are tools available which count failed logins from specific IP addresses and block further access once a set threshold is reached. These tools utilise a range of approaches for dealing with unwanted attention.