attack
John Summerfied
debian at herakles.homelinux.org
Wed May 11 08:32:16 UTC 2005
David Hoffman wrote:
> On 5/9/05, roland brouwers <roland at cat.be> wrote:
>
>>Someone is attacking for a certain time on port SSH2
>>He is trying to login as root and uses all kind of usernames.
>>See annexed textfile
>>
>>How can I block a user after x failed logins?
>>Can I do something else?
>>
>
>
>
> This looks like something VERY common. Wanna-be hackers ("script
> kiddies") try to make repeated connections using common names, hoping
> to find a valid user name on your system, and will try to break in
> using that connection. Of course, for them to be successful, would
> require them to continue hitting your machine over and over again
> until they finally get through.
>
Watch your ftp port too. "the boss" wanted an ftp server. Once it was
used to enumerate user accounts he relented.
If you do not run ftp, look to open it and use it as an xinetd sensor.
Note: you can run ssh from xinetd; startup is slower, but that might not
be a concern. Apple does that on OS X,
--
Cheers
John
-- spambait
1aaaaaaa at computerdatasafe.com.au Z1aaaaaaa at computerdatasafe.com.au
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
More information about the users
mailing list