[Cialug] RE: Port blocking - and unwanted intruders.

Andrew Lietzow cialug@cialug.org
Mon, 6 Dec 2004 09:30:01 -0600 (CST) 

This is a multi-part message in MIME format.
If you can read this line, your email software does not support this format.
--MyFaMiLyMiMeBoUnDaRy02292000
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

timwilson011@mchsi.com wrote:

RE:>>I'm curious if I need to block any of the dest ports being hit.  Anyone have any ideas, suggestions, or
comments?  Why would these ports be accessed?

I'm interested in your question, but unable to provide any answers.   

I have a Fedora Core 2 server running LAMP and ever since I installed it, the disk gets hit about once every three seconds.  I'd like to determine the process and/or the port.   

I think one of the suspect problems is an error in my named.conf file (my fault but haven't resolved the issue).   

This error gets logged in my /var/log/messages file, to wit:
"lame server resolving '1.0.0.127.in-addr.arpa' ( in '0.0.127.in-addr.arpa'?): 192.228.79.201#53"

A more serious error, or so I believe is: 
"Failed password for illegal user blue from 213.155.196.143 port 35672 ssh2"  
I have a whole slew of these entries in the /var/log/message file and the jerk has tried to log in under many aliases, apparently from different IP's (including 210.102.183.225).   I cannot ping these addresses.  

When I do a "whois 210.102.183.225), I find a block of addresses for some University in China, maybe?   The technical contact is ygson@kwc.ac.kr and kren@snu.ac.kr at KYUNGWON College.  

Does anyone think it will do me any good to send an email to this contact to tell them that whoever is at 210.102.183.225 is being abusive?    I have added both of these IP's to my /etc/hosts.deny file thusly.  
<ssh2:210.102.183.225 213.155.196.143>
I'm not sure that I have the syntax correct.  

As always, TIA for any help.   And, I wish I knew the answer to YOUR problem Tim Wilson, but unfortunately, I am "niche ser gut" in this arena... 

Ciao, 
Andrew Lietzow
Des Moines
_____________________________________________________________________
Get your own family web site at www.MyFamily.com!




--MyFaMiLyMiMeBoUnDaRy02292000--