If one wanted to trap these kinds of attempts and block that IP using ipchains, how would one do that? :)
-Rob On 20050510.1515, Jim Beard said ... > Howdy folks, > > So the other day I had a RedHat server hang on me. It had been up > for 250ish days I think, so I rebooted it and started looking through > the > system logs (/var/log/message*) to see if anything might have been > logged to hint at why the machine had hung. What I found was a lot of > ssh brute force login attempts for standard accounts. We had the ssh > port tunneled through the firewall. So this didn't really seem all > that exciting, as I realize people get port scanned constantly and ssh > was open. But then I noticed something that did disturb me. A few > lone ( or maybe groups of 2 or 3 ) attempts were made on non-standard > accounts. On old system user accounts. Theoretically an x-employee > could be doing it, but I find that a bit doubtful. The standard ssh > port and a port going to a tomcat web app server, has been the only > port that has been forwarded to the machine... > Anyone got any advice on figuring out if some other compromise might > have been used to determine the system users? Or.. Anyone got any > advice on figuring out why the machine originally hung? I could not > bring up a terminal when connected directly to the machine, it would > not respond to ssh connections. My guess was that it ran out of > process ids or the /var partition filled up... > > Jim Beard > counterclaim, Inc > http://www.counterclaim.com > http://openefm.sourceforge.net > (800) 264-8145 > > _______________________________________________ > EUGLUG mailing list > [email protected] > http://www.euglug.org/mailman/listinfo/euglug > _______________________________________________ EUGLUG mailing list [email protected] http://www.euglug.org/mailman/listinfo/euglug
