On Sunday, 18 September 2005 10:02, Gábor Szabó wrote: > I see in my log files many enrties of this type (with various usernames) > > Failed logins from these: > aa/password from 131.247.3.147: 1 Time(s) > > > What would be the best action with this? >
Close the service in question if you don't need it. If you do, block access to the port (via iptables or tcp wrappers) except for a short list of known addresses or networks (e.g. your ISP). If you connect to this service from dynamic IP's, check out portknocking to sort this out. If you absolutely must, allow access to it and block the offending network from accessing this port. If you choose the last, feel free to write a quick script (I won't say in what programming language) to automatically block IP's that appear in the log files as failed logins. This block should be automatically lifted after 30-60 minutes to allow you to make mistakes once in a while. Google for portsentry for an example of such a script, but writing one from scratch should be just as easy. - Aviram ================================================================To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
