On Sat, 2009-05-09 at 22:35 -0700, Kurt Granroth wrote: > That seems... unlikely. I have had thousands of unique IPs hit some of > my hosts, many to never repeat after a round of attacks. The more > plausible route is that they have a botnet of pwned boxes numbering in > the hundreds of thousands and they just use them for random dictionary > attacks. Once the dictionary attack is done (completely failed), they > move on. > > One lesson to learn from this, though, is to NEVER allow name+password > based logins over the Internet. If you open up port 22 to the world, > then make sure you restrict logins to SSH key only. Most importantly: > > PasswordAuthentication no > > If a million monkeys can write the works of Shakespeare, then a million > compromised zombies can eventually crack all of your passwords, too! > ---- I NEVER open port 22 for SSH to the Internet but always use a different port number I ALWAYS use denyhosts (but there are other programs that do much the same thing) that blocks connections after a pre-defined number of failed attempts within a pre-defined time period. I use a pretty low number of failed attempts and a fairly wide time window period. I used to pay attention to iptables reports and even once wrote a database program to import/sort/report on them because if you have a box on the Internet, you are going to get a lot of blocked attempts but I really felt that virtually all of that time and energy was wasted. I am no longer surprised nor worried about people port scanning my public IP addresses any more. I do employ SELinux these days for an added layer of protection but I don't know that I've had a system compromised in the last 10 years...but I did have several systems compromised a little over 10 years ago and started taking security very seriously. I do scan my own systems to verify which ports are open on the Internet. If you really want to know where your network is weakest...look at your wireless access point/router. But really, the biggest threat these days is using a web browser because you can't even trust the web sites you think that you trust. I sleep pretty well at night. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss