Point well taken (BTW, I also have RR). On second inspection I noticed that I only got repeat IPs once or twice. Also, a whois tells me that they are coming from China, Korea, Nicaragua, and Brazil (except for the repeats, which all came from Shaw cable customers). The methodical request for the same 5 or so usernames makes me think that this is the work of some script. I should update my offer to say that anyone that has any good ideas on how to deal with this can get the gmail invite (if you want it).
Thanks, James > Strangely enough, I never had those multiple ssh login attempts for > nearly 3 years... then my IP address finally changes with RR and I > suddenly get them, as many as 3-4 different attempts each week, > whichever IP hits me covers all those possibles; test, guest, admin and > most recently even root showed up. I also use IPTABLES. I started to > wonder if I ended up with an IP on someone's sh*t list. I've traced all > the IPs that have hit me in this manner to China and Korea. At this > point, I'm vigilantly keeping my system updated, and having faith in > linux (b/c I'm not going to turn off ssh). I have never seen the same > IP twice (except on multiple attempts that were logged at the same > time). Another thought I had, when I was originally only seeing test > and guest and admin was some crazy Microsoft based worm was doing it... > but when I saw root attempts most recently, I guess that idea was no > good. Currently I'm not adding these IPs to any blocking, as there are > no repeats so far, so what's the point. > > any thoughts from anyone else on this would be interesting to read. > > laters, > David M. > > ps, I'm already gmailified. :) > > > --- James Lloyd Beidler <[EMAIL PROTECTED]> wrote: > I'm willing to give one away to >> anyone that can give me a simple and elegant way to automatically >> block IPs of people that make multiple attempts at sshing into my >> machine using accounts that do not exist (ie. test, guest, admin). I >> use IPTABLES ;) >> -James >> > > > > > __________________________________ > Do you Yahoo!? > New and Improved Yahoo! Mail - Send 10MB messages! > http://promotions.yahoo.com/new_mail > -- > TriLUG mailing list : > http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ > : http://trilug.org/faq/ > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ > TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
