Hello,
Reporting the activity will most likely not do any good since nothing has really come of the login attempts. You would have to prove that the connections are malicious beyond a resonaible doubt. Depending on your logs or traffic analyist this may or may not be possible.
Also most ISP's are to busy to look into and police their network unless something concrete has happened. It is kind of like the stalking law ... not much can done until it is to late.
I would suggest downloading the latest Openssh source 3.9 and build it from source.
Also restrict what users can use SSH by setting the "AllowUsers" variable, also:
PermitEmptyPasswords no StrictModes yes
Michael.
Greg King wrote:
Hi folks,
I have a RH9 system which is exposed to the internet by having a firewall port forward SSH to it. Root login is disabled, and the few (4~5) accounts that are on the box have passwords, although probably not as hard as they should be.
For the past few week I've noticed lots of attempts to logon using various ids, most of which don't exist on the box. I've also heard that SSH itself has known exploits which can result in nefarious types taking control of a box. I don't believe the box is compromised yet, as tripwire seems to be not finding any newly changed system files, but I guess worst case tripwire itself could be compromised. My question is twofold:
1. How easy is it to compromise SSH (OpenSSH_3.5p1 which was the latest one available when RH dropped auto update for RH9)? The RedHat site doesn't have an upgrade after Sep 2003. 2. Is it worth while to try to report this activity to abuse@ whatever domain the IP is coming from?
Regards, Greg King
_______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
_______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
