Login attacks
Scot L. Harris
webid at cfl.rr.com
Tue Dec 7 21:24:17 UTC 2004
On Tue, 2004-12-07 at 15:24, Michael Yep wrote:
> Hello
>
> In my LogWatch report I get many login attacks, many from the same IP address.
>
> sshd:
> Authentication Failures:
> root (218.232.109.187): 59 Time(s)
> I have permitRootLogin set to NO, and I use strong passwords, but can I
> just add these IP addresses to hosts.deny?
> and if so how would I set that up
You may also want to add the IP address those probes are coming from to
your iptables with a drop rule. This makes sure that nothing from that
IP address can do anything on your system.
If they are trying ssh they may be trying other ports. And any address
that shows up many different times needs to be blocked completely. It
is either a script kiddie trying all kinds of different things or
compromised system someone else is using to launch further attacks.
Either way blocking them completely keeps your system safe and does not
impact you at all.
--
Scot L. Harris
webid at cfl.rr.com
Pollyanna's Educational Constant:
The hyperactive child is never absent.
More information about the fedora-list
mailing list