Dealing with unwelcome visitors

Brian Chabot brian at datasquire.net
Mon Aug 16 11:12:01 EDT 2004


Ted Roche wrote:
> I have a FC2 machine exposed to the Internet, supporting web, ftp, ssh 
> and a few other functions. Each day I read the logs and see one or two 
> visitors trying to log into ssh as "admin", "guest", "test" and "user" 
> with one try each with a password and one without. The IP address is 
> always different, but the fact that the pattern of names and attempts is 
> always the same suggests script kiddies.
> 
> I manually add the IP address to an iptables chain so that all future 
> packets from that address are dropped.

You are not the only one.  I see the same thing on the box I administer 
  for work.  Every time a different IP and they never try more then once 
each.  It's not every day, but often enough that I have taken notice.


> For a while, i was looking up the addresses and sending email to their 
> local abuse@ website, but that got to be too much work.
> 
> Anyone have a suggestion re:
> 
> 1) are these appropriate actions to take?

I would say yes.  This is definitely appropriate.

> 2) is there any easier way to do it?

Normally, I tell people to install Portsentry, which will make the 
blocking automatic if you are portscanned, but as this script is 
checking ports you have open, it won't be useful here.  You might try 
installing it any way.  I've been VERY happy with the added security it 
affords me, even if the list of blocked IP's is now several KB.

> 3) is there something else I ought to be doing?

Not unless you can close off these services.  Someone else may have more 
ideas, but it sounds like you are doing just what you should be doing.


Brian

-- 
---------------------------------------------------------------
|   brian at datasquire.net            http://www.hirebrian.net  |
|                Simply the Best IT/MIS Manager               |
|          Self-taught, Fast Learner, and Team Player         |
|            Ready to Start TODAY at Your Company.            |
---------------------------------------------------------------



More information about the gnhlug-discuss mailing list