attack on my server

Martin Duclos tchitow-PkbjNfxxIARBDgjK7y7TUQ at public.gmane.org
Mon Aug 27 23:14:19 UTC 2007


Thanks for all that replies! I was thinking of just blocking by ip but it 
can get tedious to keep going thru logs to find each offending host and 
block ip by ip. My worry with that was that the attacher might have a whole 
pool of addresses. I didn't think changing the port would help that much. I 
like the idea of DenyHost and the like.
Martin

----Original Message Follows----
From: "Charles philip Chan" <cpchan-rieW9WUcm8FFJ04o6PK0Fg at public.gmane.org>
Reply-To: tlug-lxSQFCZeNF4 at public.gmane.org
To: tlug-lxSQFCZeNF4 at public.gmane.org
Subject: Re: [TLUG]: attack on my server
Date: Mon, 27 Aug 2007 18:54:56 -0400
MIME-Version: 1.0
Received: from rock.ss.org ([206.108.5.1]) by bay0-mc12-f2.bay0.hotmail.com 
with Microsoft SMTPSVC(6.0.3790.2668); Mon, 27 Aug 2007 15:55:26 -0700
Received: by rock.ss.org (Postfix)id 341BC307AF; Mon, 27 Aug 2007 18:54:36 
-0400 (EDT)
Received: by rock.ss.org (Postfix, from userid 54)id 2E8213075B; Mon, 27 Aug 
2007 18:54:36 -0400 (EDT)
X-Message-Delivery: Vj0zLjQuMDt1cz0wO2k9MDtsPTA7YT0w
X-Message-Info: 
EoYTbT2lH2P+rXKj3a/vL46Oj+K1AzRUmXxQ9jRoowR5Vos7vLZJWqsiJIxFeS+KC+Pwsr+hX7wv4VPWJqNdHA==
Delivered-To: route-tlug-JcsaL2wEbRNAfugRpC6u6w at public.gmane.org
X-Original-To: tlug-lxSQFCZeNF4 at public.gmane.org
Delivered-To: tlug-lxSQFCZeNF4 at public.gmane.org
References: 
<BAY123-F37394E2485040A3EA26999B5D20-MsuGFMq8XAE at public.gmane.org><46D32A23.5020505-H217xnMUJC0sA/PxXw9srA at public.gmane.org><20070827200412.GE29321-8agRmHhQ+n2CxnSzwYWP7Q at public.gmane.org><46D333DD.1040509-H217xnMUJC0sA/PxXw9srA at public.gmane.org>
User-Agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1.50 (gnu/linux)
X-Face: 
G;Z,`sm>)4t4LB/GUrgH$W`!AmfHMj,LG)Z}X0ax at s9:0>0)B&@vcm{v-le)wng)?|o]D<V6&ay<F=H{M5?$T%p!dPdJeF,au\E at TA"v22K!Zl\\mzpU4]6$ZnAI3_L)h;fpd}mn2py/7gv^|*85-D_f:07cT>\Z}0:6X
Precedence: list
Return-Path: owner-tlug-lxSQFCZeNF4 at public.gmane.org
X-OriginalArrivalTime: 27 Aug 2007 22:55:27.0233 (UTC) 
FILETIME=[5C10E710:01C7E8FD]

Jamon Camisso <jamon.camisso-H217xnMUJC0sA/PxXw9srA at public.gmane.org> writes:

 > Sure, again keys are best. But moving the port reduces automated scans
 > drastically, I'd say by an order of magnitude at least, usually more.

No matter what, a port scan will find it. a better option for this is to
use denyhost:

http://denyhosts.sourceforge.net/

if your copy of sshd is compiled with tcpwrapper support. Another option
is to use snort with flex-response or in conjuction with guardian.pl or
blockit.pl.

Charles

--
Use debugging compilers.
             - The Elements of Programming Style (Kernighan & Plaugher)


<< attach3 >>

_________________________________________________________________
Show Your Messenger Buddies How You Really Feel 
http://www.freemessengeremoticons.ca/?icid=EMENCA122

--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list