Simon wrote: > Since it is very unlikely that the attacker is targeting you > specifically, changing the port number (and removing root access) will > very likely stop the attack forever. Though, if the attacker did > target you, then you will need some more security tools (intrusion > detection, etc...).
I recognise that this doesn't seem to be a targeted attack - but it is still frustrating to find that someone has evaded my IP blocking strategy... even though they pose only a slightly elevated risk by having done so. (Of course, I don't permit root login - that would be madness... and, as far as I'm aware, no-one has guessed even a valid user name... they're all obscure!) The thing that strikes me is that, in evading my blocking strategy, they clearly identified a bot-net of compromised hosts. With this in mind, ideally, I'd like to: 1. Automatically detect and block all future attacks on all ports from all hosts which are involved in this coordinated attack. These hosts can't be trusted not to be malicious. 2. Somehow inform the administrator of the hosts attacking me (in a respectful way) since, I presume, they are unaware that their host is involved in the attack. 3. Ideally, share this kind of information so that myself and others are better protected from bot-net attacks in future. It's the sort of thing I imagine has already been done - and there's no point in re-inventing the wheel.