Attempted SSH Logins
Parker Morse
morse at sinauer.com
Thu Aug 5 17:42:11 UTC 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wednesday, Aug 4, 2004, at 17:00 US/Eastern, James Harrison wrote:
> I then got on to their website, found the webmaster email account and
> sent
> them a very nasty rude email along with evidance of them attempting to
> access
> my machine without permission.
>
> Needless to say, I now dont have any problems from them.
I understand that most of the sources of these probes are zombie drones
or other compromised systems. The first time I saw such a probe
(they're easy to spot, since the same IP will scan all three of my
internet-facing servers on the same day) I politely emailed the
technical contact responsible for that netblock, asking if there was
something I should know about (or, conversely, if there was something
*he* should know about.)
They apologized profusely and explained that the infected system had
been taken offline within an hour of the first scans.
Go easy on 'em. "There but for the grace of God go you and I," or
something like that.
Going from permissive to restrictive firewalling (from "anybody except"
to "nobody except") with SSH would be a good step. Restricting accounts
with shell login access from SSH can't hurt, either; the no-root-logins
configuration mentioned here recently should be mandatory.
pjm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
iD8DBQFBEnF5nRVGoRROKxIRArEHAJ9peoLQMWAsy5dNYDc6YmFYq8HXgwCbB3OX
oQjD4zwXfWpvlLNU4PG6tiM=
=6Ufv
-----END PGP SIGNATURE-----
More information about the redhat-list
mailing list