[Cialug] Re: RE: Port blocking - and unwanted intruders

[Daniel Wittenberg]

Is your tcpwrappers not dropping those connections?  If you are seeing
these login attempts, then your tcpwrappers appear to not be working,
and hence a firewall rule based on those wouldn't do much good either.
I would suggest standard host security policy, of drop everything with
iptables, and only allow what is explicitly needed (since tcpwrappers
can't protect everything).

Dan

On Tue, 2004-12-07 at 09:08 -0800, Ricky A. Kendall wrote:
> I have seen quite a few ssh attacks coming from South
> Korea, China, Argentina, Italy, Germany, and most
> recently from SBC (US based communications company). 
> I have blocked them with iptables and it's been quite
> effective.  I work at a DOE lab in Ames and similar
> attacks have been reported there as well.  They are
> hitting normal user accounts with names like patrick,
> george, adam, alan, andrew etc., as well as root,
> nobody, web, webmaster www, wwwrun etc.  It's most
> likely a script kid exploiting an ssh hack they know
> of.  Anyway your best defense is tcpwrappers with a
> firewall that blocks offending dirtbags.  Also make
> sure you keep your distribution up to date with
> security patches.  
> 
> I'd be interested in seeing the script mentioned
> earlier that looks at wrappers logs and generates a
> firewall rule.  
> 
> Regards,
> Ricky
> 
> 
> =====
> Ricky A. Kendall         
> Ames, Iowa
> rickyakendall@yahoo.com