Dealing with unwelcome visitors

[Steven W. Orr]

On Monday, Aug 16th 2004 at 10:44 -0400, quoth Ted Roche:

=>I have a FC2 machine exposed to the Internet, supporting web, ftp, ssh and a
=>few other functions. Each day I read the logs and see one or two visitors
=>trying to log into ssh as "admin", "guest", "test" and "user" with one try
=>each with a password and one without. The IP address is always different, but
=>the fact that the pattern of names and attempts is always the same suggests
=>script kiddies.
=>
=>I manually add the IP address to an iptables chain so that all future packets
=>from that address are dropped.
=>
=>For a while, i was looking up the addresses and sending email to their local
=>abuse@ website, but that got to be too much work.
=>
=>Anyone have a suggestion re:
=>
=>1) are these appropriate actions to take?

Not bad but probabbly not useful. If the IP address is from a dynamic pool 
then it does you no good at all to blacklist the address. Same thing 
applies about sending email.

=>2) is there any easier way to do it?

I say the easiest thing is to do nothing. They tried and they failed. The 
system works. If you get activity like this from a static address, then 
you can get all fire and brimstone on their asses.

=>3) is there something else I ought to be doing?

Shut off FTP. It's insecure and there's really no need for it. I actually 
got broken into a few years back by having FTP enabled.

-- 
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net