Break-In Attempt -- Now What?
Rob Sutherland
rob-HoWcdTCbwWKHoZZAE0nKLw at public.gmane.org
Tue Nov 30 16:24:25 UTC 2004
On Tue, 30 Nov 2004 11:00:29 -0500
Peter King <peter.king-H217xnMUJC0sA/PxXw9srA at public.gmane.org> wrote:
> Yesterday someone tried to break into my system (behind a firewall with
> only port 22 open for ssh), apparently running some sort of kit: a few
> thousand attempts in about seven minutes, most trying for "obvious"
> names (web server root admin and so on). I caught this about two hours
> later while reviewing my logfiles, which, in addition to faithfully
> logging all the break-in attempts, also snagged the intruder's IP
> address.
>
> Two hours later? Well, what the hell, I thought, and ran traceroute on
> it. And there it was: the computer from which the attacks had been
> launched was up and running on the net somewhere (I think Korea but it
> wasn't entirely clear from traceroute).
Yeah, they're a busy bunch - they hit my box last week. If you change your ssh
configuration to listen on a different port, that will at least stop your system
from getting DOSed. Yes, it was Korea.
Rob
>
--
Rob Sutherland - rob-HoWcdTCbwWKHoZZAE0nKLw at public.gmane.org
Computer Support at http://www.cheapersafer.com
Land: (416) 536-0176 | Cell: (416)407-1391
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list