<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
I see attempts about every other day. Because of this, I send e-mails
to ISPs about every other day. After the third offense from within the
same range, I block all access to our servers from that range, unless
the ISP attempts to correct the problem.<br>
<br>
I also keep track of all attempts so that I can reference it later in
case of a break in.<br>
<pre class="moz-signature" cols="72">Nathaniel Hall, GSEC
Intrusion Detection and Firewall Technician
Ozarks Technical Community College -- Office of Computer Networking
<a class="moz-txt-link-abbreviated" href="mailto:halln@otc.edu">halln@otc.edu</a>
417-447-7535
</pre>
<br>
<br>
Gerry Doris wrote:
<blockquote cite="mid1102459609.29276.2.camel@jaguar.dorfam.ca"
type="cite">
<pre wrap="">On Tue, 2004-12-07 at 15:24, Michael Yep wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hello
In my LogWatch report I get many login attacks, many from the same IP address.
sshd:
Authentication Failures:
root (218.232.109.187): 59 Time(s)
adm (218.232.109.187): 2 Time(s)
apache (218.232.109.187): 1 Time(s)
nobody (218.232.109.187): 1 Time(s)
operator (218.232.109.187): 1 Time(s)
Invalid Users:
Unknown Account: 43 Time(s)
I have permitRootLogin set to NO, and I use strong passwords, but can I
just add these IP addresses to hosts.deny?
and if so how would I set that up
Michael Yep
Development / Technical Operations
RemoteLink, Inc.
</pre>
</blockquote>
<pre wrap=""><!---->
I had so many problems with the 218.0.0.0/24 domain that I totally
blocked the entire domain. I believe this domain is in Korea.
</pre>
</blockquote>
</body>
</html>