Login attacks

Nathaniel Hall halln at otc.edu
Tue Dec 7 22:52:58 UTC 2004


I see attempts about every other day.  Because of this, I send e-mails 
to ISPs about every other day.  After the third offense from within the 
same range, I block all access to our servers from that range, unless 
the ISP attempts to correct the problem.

I also keep track of all attempts so that I can reference it later in 
case of a break in.

Nathaniel Hall, GSEC
Intrusion Detection and Firewall Technician
Ozarks Technical Community College -- Office of Computer Networking

halln at otc.edu
417-447-7535



Gerry Doris wrote:

>On Tue, 2004-12-07 at 15:24, Michael Yep wrote:
>  
>
>>Hello
>>
>>In my LogWatch report I get many login attacks, many from the same IP address.
>>
>>sshd:
>>    Authentication Failures:
>>       root (218.232.109.187): 59 Time(s)
>>       adm (218.232.109.187): 2 Time(s)
>>       apache (218.232.109.187): 1 Time(s)
>>       nobody (218.232.109.187): 1 Time(s)
>>       operator (218.232.109.187): 1 Time(s)
>>    Invalid Users:
>>       Unknown Account: 43 Time(s)
>>
>>I have permitRootLogin set to NO, and I use strong passwords, but can I 
>>just add these IP addresses to hosts.deny?
>>and if so how would I set that up
>>
>>
>>
>>Michael Yep
>>Development / Technical Operations
>>RemoteLink, Inc.
>>    
>>
>
>I had so many problems with the 218.0.0.0/24 domain that I totally
>blocked the entire domain.  I believe this domain is in Korea.
>
>  
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20041207/06ee687a/attachment-0001.htm>


More information about the fedora-list mailing list