OK - First a disclaimer (so Mike J. doesn't jump on me for advancing this idea as TRUE security): This is a reasonably easily sniffed-and-evaded security-through-obscurity mechanism, but it should work to help eliminate these random attacks on your system.
Port Knocking (as discussed in Linux Journal and SysAdmin in June 2003) is an interesting approach to attempting to access open ports via the wild wooly Internet without always having listeners up. Of course, this will require either a Linux/*BSD firewall, or at least having your system config'd as a DMZ host (for the Linksys/NetGear/et al families of routers), but it might prove helpful. http://www.portknocking.org/ Enjoy! Shane O. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Johnson Sent: Tuesday, August 24, 2004 10:27 AM To: Triangle Linux Users Group discussion list Subject: Re: [TriLUG] list newbie has stuff to give away (gmail type stuff) James Lloyd Beidler [EMAIL PROTECTED] wrote: > Point well taken (BTW, I also have RR). On second inspection I noticed > that I only got repeat IPs once or twice. Also, a whois tells me that > they are coming from China, Korea, Nicaragua, and Brazil (except for the > repeats, which all came from Shaw cable customers). The methodical > request for the same 5 or so usernames makes me think that this is the > work of some script. I should update my offer to say that anyone that > has any good ideas on how to deal with this can get the gmail invite (if > you want it). My advice is to simply ignore it. It's not worth the time and effort to code up something that will likely false positive on you. Here's some information on what you're seeing: http://isc.sans.org/diary.php?date=2004-08-22 And read the messages tiltled "SSH Scanner?" on this page: http://lists.sans.org/pipermail/list/2004-July/thread.html Like I said, ignore it. If you don't have those accounts and your version of openssh is reasonably up to date, you're fine. You should, however, attempt to notify the ISPs from which the attacks originate. You likely won't hear anything back from the overseas attacks, but I wouldn't be surprised if Shaw pulled the plug on that one IP. Mike, already gmail'd -- "Spare me your space-age technobabble Atilla The Hun!" -- Zapp Brannigan GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF C821 89C4 DF9A 5DDD 95D1 GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
