Server Probing
Georgios Magklaras
georgios at biotek.uio.no
Thu Jan 31 12:42:29 UTC 2013
On 29/01/13 17:18, Florez, Nestor wrote:
> Hi,
>
> I apologize is this is the wrong place to ask about probing.
>
> Some of our servers were probed back on the 24th of January
> By these IP addresses
> 177.73.233.241
> 216.70.90.155
> 5.9.120.22
> 64.131.79.194
> 64.147.170.17
> 91.121.154.81
> 91.121.161.131
> 94.23.104.140
>
> And in the last 24 hours by these IP addresses
> 168.144.28.111
> 176.9.220.214
> 178.210.163.150
> 184.107.226.10
> 208.116.60.208
> 62.75.182.85
> 80.13.187.24
> 91.121.154.81
> 91.121.162.58
> 95.211.25.18
>
>
> I been getting a lot more server probing messages than usual
> I was wondering how do you handle it?
> What do you look for on your server to see if there are problems?
>
> Any ideas will be appreciated.
>
> Thanks!!!!
>
> Né§t☼r
>
Apart from fail2ban and the other suggestions, what I tend to do is to
have in the DMZ a system to ssh into the rest of my system (commonly
referred to as bastion host: http://en.wikipedia.org/wiki/Bastion_host).
To quickly visualize this, you have:
Internet<->Firewall/DMZ (bastion host)<->Protected Network (Server1,
Server2, ...Server n)
The idea is that only the Firewall/DMZ has port 22 open. You then have
to do an extra SSH to get to the Server boxes. If you setup SSH keys to
the bastion host instead of passwords, then that would be easier. So,
you protect the rest of the network by avoid people probing your servers
and you can reach them anytime you want by means of an extra SSH.
GM
Best regards,
--
--
George Magklaras PhD
RHCE no: 805008309135525
Head of IT/Senior Systems Engineer
Biotechnology Center of Oslo and
the Norwegian Center for Molecular Medicine/
Vitenskapelig Databehandling (VD) -
Research Computing Services
EMBnet TMPC Chair
http://folk.uio.no/georgios
http://hpc.uio.no
Tel: +47 22840535
More information about the redhat-list
mailing list