[Cialug] Re: RE: Port blocking - and unwanted intruders

Ricky A. Kendall cialug@cialug.org
Tue, 7 Dec 2004 09:08:29 -0800 (PST)


I have seen quite a few ssh attacks coming from South
Korea, China, Argentina, Italy, Germany, and most
recently from SBC (US based communications company). 
I have blocked them with iptables and it's been quite
effective.  I work at a DOE lab in Ames and similar
attacks have been reported there as well.  They are
hitting normal user accounts with names like patrick,
george, adam, alan, andrew etc., as well as root,
nobody, web, webmaster www, wwwrun etc.  It's most
likely a script kid exploiting an ssh hack they know
of.  Anyway your best defense is tcpwrappers with a
firewall that blocks offending dirtbags.  Also make
sure you keep your distribution up to date with
security patches.  

I'd be interested in seeing the script mentioned
earlier that looks at wrappers logs and generates a
firewall rule.  

Regards,
Ricky


=====
Ricky A. Kendall         
Ames, Iowa
rickyakendall@yahoo.com
-----------------------------------------------------------
               It takes a big dog to weigh a ton.
-----------------------------------------------------------


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Helps protect you from nasty viruses. 
http://promotions.yahoo.com/new_mail