On Wed, Apr 06, 2005 at 10:49:08AM -0500, Martin McCormick wrote: > We have been noticing flurries of sshd reject messages in > which some system out there in the hinterlands hits us with a flood of > ssh login attempts. An example: > > Apr 6 05:49:42 dc sshd[12406]: Failed password for illegal user > bruce from 67.19.58.170 port 32983 ssh2
In my experience, these are just script kiddies goofing around. The only useful thing to do is to report them to abuse@ their ISP - this can actually be effective in some cases. $ whois 67.19.58.170 OrgName: ThePlanet.com Internet Services, Inc. OrgID: TPCM Address: 1333 North Stemmons Freeway Address: Suite 110 City: Dallas StateProv: TX PostalCode: 75207 Country: US ... OrgAbuseHandle: ABUSE271-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-214-782-7802 OrgAbuseEmail: [EMAIL PROTECTED] I'm sure his ISP would like to know about his behavior - send them a report of his attempts. Often in my opinion it's some 13 year old who doesn't realize he's not anonymous on the internet. It quickly becomes a tedious and thankless job, but it's the best weapon you have imo. Also, I find on some systems it's nice to do whitelisting with hosts.allow to only allow connectinos from certain addresses. Obviously that is not a solution for every system, but it can work well for some. Dan _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"
