Dealing with unwelcome visitors
Brian Chabot
brian at datasquire.net
Mon Aug 16 11:12:01 EDT 2004
Ted Roche wrote:
> I have a FC2 machine exposed to the Internet, supporting web, ftp, ssh
> and a few other functions. Each day I read the logs and see one or two
> visitors trying to log into ssh as "admin", "guest", "test" and "user"
> with one try each with a password and one without. The IP address is
> always different, but the fact that the pattern of names and attempts is
> always the same suggests script kiddies.
>
> I manually add the IP address to an iptables chain so that all future
> packets from that address are dropped.
You are not the only one. I see the same thing on the box I administer
for work. Every time a different IP and they never try more then once
each. It's not every day, but often enough that I have taken notice.
> For a while, i was looking up the addresses and sending email to their
> local abuse@ website, but that got to be too much work.
>
> Anyone have a suggestion re:
>
> 1) are these appropriate actions to take?
I would say yes. This is definitely appropriate.
> 2) is there any easier way to do it?
Normally, I tell people to install Portsentry, which will make the
blocking automatic if you are portscanned, but as this script is
checking ports you have open, it won't be useful here. You might try
installing it any way. I've been VERY happy with the added security it
affords me, even if the list of blocked IP's is now several KB.
> 3) is there something else I ought to be doing?
Not unless you can close off these services. Someone else may have more
ideas, but it sounds like you are doing just what you should be doing.
Brian
--
---------------------------------------------------------------
| brian at datasquire.net http://www.hirebrian.net |
| Simply the Best IT/MIS Manager |
| Self-taught, Fast Learner, and Team Player |
| Ready to Start TODAY at Your Company. |
---------------------------------------------------------------
More information about the gnhlug-discuss
mailing list