Aviram Jenik <[EMAIL PROTECTED]> writes: > On Sunday, 18 September 2005 10:02, Gábor Szabó wrote: > > I see in my log files many enrties of this type (with various usernames) > > > > Failed logins from these: > > aa/password from 131.247.3.147: 1 Time(s) > > > > > > What would be the best action with this? > > > > Close the service in question if you don't need it. > > If you do, block access to the port (via iptables or tcp wrappers) > except for a short list of known addresses or networks (e.g. your > ISP). If you connect to this service from dynamic IP's, check out > portknocking to sort this out. If you absolutely must, allow access > to it and block the offending network from accessing this port. > > If you choose the last, feel free to write a quick script (I won't > say in what programming language) to automatically block IP's that > appear in the log files as failed logins. This block should be > automatically lifted after 30-60 minutes to allow you to make > mistakes once in a while. Google for portsentry for an example of > such a script, but writing one from scratch should be just as easy.
I see a lot of those in the log of my home machine. Basically, I have ssh open and I connect to the machine myself when I am at work, travelling, etc. I am typing this mail while connected via ssh. I figure that these entries are from blind and stupid attempts to guess usename/password combination manually or automatically. Aviram, if you (or anyone else) have a different interpretation, I'd like to hear. Therefore, I would not want to block every address from which a connection is attempted. I may mistype username/password myself, after all, and I don't want access blocked because of that. I also don't know in advance where I will try to connect next time (a coffee shop? a friend's place? an airport?). So if you do write a blocking script like Aviram suggests, I would block an address after a number of attempts only, and only if it clearly uses bogus usernames. So far I have been ignoring these (but I do read the logs). Am I too naive? -- Oleg Goldshmidt | [EMAIL PROTECTED] | http://www.goldshmidt.org ================================================================To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
