On Saturday 10 November 2007 04:46, Adam Hardy wrote: > One routine check that I do on my webserver to check it's OK is netstat, > and this time it looks like I was under attack from some muppet out > there via what seems to be a brute force attempt to crack my ssh login. > > Trying to understand the info, what is the foreign address - is that the > attacker's domain name: 59-124-248-196.HI ? If so, how come it's this > weird format? And what's 59-124-248-19:dircproxy? And how come so many > listed connections have no PID? Are they just abandoned login attempts?
Since reverse DNS can easily be forged, suggest you use -n switch on netstat to see the real IP addresses. You can later look them up with host, whois, etc. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]