NOUSER

[Vivek J. Patankar]

Rick Stevens wrote:
> Personally, I still prefer iptables.  Block them at the NIC level (or as
> close as you can).  Why let them in any further than you absolutely have
> to?

Unfortunately I can't. My company's server hardening policy says 
IPTables should be off!  I have to apply for a "Security Override" if I 
have to enable it. Go figure.
I'm trying to get that changed.


>> My original concern, more of a curiosity really, was about the username 
>> NOUSER. I've be getting attempts for root ever since this server went 
>> live. But never for "NOUSER".
> 
> If you're still getting SSH crack attempts even though there's a
> firewall out there, then you're either getting hit from someone you
> "trust" or it's coming from inside your network.  I'd start an audit PDQ
> (pretty damned quick) and find the culprit.  Undoubtedly some twit
> with a Windows box is infected, either by getting hacked or by opening
> an email with a worm attached.

I did check where the attempts were coming from. The source IP addresses 
were assigned to ISPs. So infected windows systems are most likely to be 
the culprits.

-- 
Regards,
विवेक ज. पाटणकर (Vivek J. Patankar)

Registered Linux User #374218
Fedora release 7 (Moonshine)
Linux 2.6.22.1-33.fc7 x86_64