Hey folks,
I've been a bit of a long time lurker on this list, but I've recently
come up with a bit of a problem. Somebody, somewhere out on the 'net is
attempting to crack into my home server -- unfortunately, they seem to
be either using a few hundred zombie boxen on the 'net or spoofing their
IP addresses because each attack is coming from a completely different IP.
The first time I noticed, I noticed a bunch of "Illegal user" error
messages in /var/log/auth.log. At first I didn't think much of it, but
since I've worked on the iptables firewall, I've noticed an almost
constant stream of incoming packets to random ports on my box, too.
At first I thought he must have just found my box via an IP subnet scan
or something, but when I recently changed ISPs and IP addresses, he
followed via my domain name.
My question is this: how can I track down this guy, blacklist, or
prevent him from breaching my defenses? Also, what should I do about
reporting him to the authorities? Who do should I contact about this?
I've tried looking up his various IPs in the whois databases to no avail
- -- they list him as coming from Tokyo, Taiwan, South Africa, San
Diego, etc.
My server is running Debian Linux, for reference.
- --
June Tate *
http://www.theonelab.com *
june@theonelab.com
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)