I see attempts about every other day. Because of this, I send e-mails
to ISPs about every other day. After the third offense from within the
same range, I block all access to our servers from that range, unless
the ISP attempts to correct the problem.|
I also keep track of all attempts so that I can reference it later in case of a break in.
Nathaniel Hall, GSEC Intrusion Detection and Firewall Technician Ozarks Technical Community College -- Office of Computer Networking halln otc edu 417-447-7535
Gerry Doris wrote:
On Tue, 2004-12-07 at 15:24, Michael Yep wrote:Hello In my LogWatch report I get many login attacks, many from the same IP address. sshd: Authentication Failures: root (22.214.171.124): 59 Time(s) adm (126.96.36.199): 2 Time(s) apache (188.8.131.52): 1 Time(s) nobody (184.108.40.206): 1 Time(s) operator (220.127.116.11): 1 Time(s) Invalid Users: Unknown Account: 43 Time(s) I have permitRootLogin set to NO, and I use strong passwords, but can I just add these IP addresses to hosts.deny? and if so how would I set that up Michael Yep Development / Technical Operations RemoteLink, Inc.I had so many problems with the 18.104.22.168/24 domain that I totally blocked the entire domain. I believe this domain is in Korea.