At 12:16 AM +0200 7/19/05, Romain GAILLEGUE wrote:
Today, I look in my log file and just before an attack i see that there is this kind of line : Jul 18 22:40:51 llaw sshd[15543]: Did not receive identification string from 80.57.221.58 so with swatch and pf (for example) it's possible to block this ip for some hours just before the attack.
I looked over some records I have from a few hosts, and while that error did pop up for some attacks, it did not pop up for other attacks. So, while that is an interesting indicator of a possible attack, you will still have to handle attacks which will not give you that advance warning. Also, in some cases that advance warning showed up less than 20 minutes before the attack, so you can't assume that you will have hours to react even if you do see the warning. -- Garance Alistair Drosehn = [EMAIL PROTECTED] Senior Systems Programmer or [EMAIL PROTECTED] Rensselaer Polytechnic Institute or [EMAIL PROTECTED]
