[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Login attacks



On Tue, 2004-12-07 at 15:24, Michael Yep wrote:
> Hello
> 
> In my LogWatch report I get many login attacks, many from the same IP address.
> 
> sshd:
>     Authentication Failures:
>        root (218.232.109.187): 59 Time(s)

> I have permitRootLogin set to NO, and I use strong passwords, but can I 
> just add these IP addresses to hosts.deny?
> and if so how would I set that up


You may also want to add the IP address those probes are coming from to
your iptables with a drop rule.  This makes sure that nothing from that
IP address can do anything on your system.

If they are trying ssh they may be trying other ports.  And any address
that shows up many different times needs to be blocked completely.  It
is either a script kiddie trying all kinds of different things or
compromised system someone else is using to launch further attacks. 
Either way blocking them completely keeps your system safe and does not
impact you at all.


-- 
Scot L. Harris
webid cfl rr com

Pollyanna's Educational Constant:
	The hyperactive child is never absent. 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]