From: Steve <Gentoo_sjh@shic.co.uk>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Curious pattern in log files from ssh...
Date: Thu, 04 Dec 2008 11:31:37 +0000 [thread overview]
Message-ID: <4937BF99.6050908@shic.co.uk> (raw)
In-Reply-To: <4936F0EA.7010000@gmail.com>
Simon wrote:
> Since it is very unlikely that the attacker is targeting you
> specifically, changing the port number (and removing root access) will
> very likely stop the attack forever. Though, if the attacker did
> target you, then you will need some more security tools (intrusion
> detection, etc...).
I recognise that this doesn't seem to be a targeted attack - but it is
still frustrating to find that someone has evaded my IP blocking
strategy... even though they pose only a slightly elevated risk by
having done so. (Of course, I don't permit root login - that would be
madness... and, as far as I'm aware, no-one has guessed even a valid
user name... they're all obscure!)
The thing that strikes me is that, in evading my blocking strategy, they
clearly identified a bot-net of compromised hosts. With this in mind,
ideally, I'd like to:
1. Automatically detect and block all future attacks on all ports from
all hosts which are involved in this coordinated attack. These hosts
can't be trusted not to be malicious.
2. Somehow inform the administrator of the hosts attacking me (in a
respectful way) since, I presume, they are unaware that their host is
involved in the attack.
3. Ideally, share this kind of information so that myself and others are
better protected from bot-net attacks in future.
It's the sort of thing I imagine has already been done - and there's no
point in re-inventing the wheel.
next prev parent reply other threads:[~2008-12-04 11:31 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-12-03 20:02 [gentoo-user] Curious pattern in log files from ssh Steve
2008-12-03 20:16 ` [gentoo-user] " Nikos Chantziaras
2008-12-03 20:19 ` Paul Hartman
2008-12-03 20:52 ` Nikos Chantziaras
2008-12-03 20:17 ` [gentoo-user] " Albert Hopkins
2008-12-03 20:18 ` Paul Hartman
2008-12-03 20:49 ` Simon
2008-12-04 11:31 ` Steve [this message]
2008-12-05 7:16 ` Mick
2008-12-03 20:54 ` Alan McKinnon
2008-12-03 21:03 ` Dmitry S. Makovey
2008-12-03 21:47 ` Steve
2008-12-03 22:11 ` Dmitry S. Makovey
2008-12-03 22:55 ` Steve
2008-12-03 23:21 ` Paul Hartman
2008-12-03 23:46 ` Dmitry S. Makovey
2008-12-03 23:55 ` Steve
2008-12-04 0:07 ` Dmitry S. Makovey
2008-12-04 0:39 ` Steve
2008-12-04 15:50 ` Dmitry S. Makovey
2008-12-04 22:44 ` Adam Carter
2008-12-05 0:15 ` Dmitry S. Makovey
2008-12-04 23:42 ` Shawn Haggett
2008-12-03 22:54 ` Adam Carter
2008-12-04 11:24 ` Evgeniy Bushkov
2008-12-04 22:41 ` Adam Carter
2008-12-04 22:53 ` Adam Carter
2008-12-05 15:05 ` Evgeniy Bushkov
2008-12-07 5:52 ` Joshua Murphy
2008-12-04 19:03 ` Christian Franke
2008-12-04 20:22 ` Dmitry S. Makovey
2008-12-04 21:20 ` Alan McKinnon
2008-12-05 11:24 ` Steve
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4937BF99.6050908@shic.co.uk \
--to=gentoo_sjh@shic.co.uk \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox