On Tue, 2004-12-07 at 13:26 -0700, June Tate wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hey folks,
>
> I've been a bit of a long time lurker on this list, but I've recently
> come up with a bit of a problem. Somebody, somewhere out on the 'net is
> attempting to crack into my home server -- unfortunately, they seem to
> be either using a few hundred zombie boxen on the 'net or spoofing their
> IP addresses because each attack is coming from a completely different IP.
>
> The first time I noticed, I noticed a bunch of "Illegal user" error
> messages in /var/log/auth.log. At first I didn't think much of it, but
> since I've worked on the iptables firewall, I've noticed an almost
> constant stream of incoming packets to random ports on my box, too.
>
> At first I thought he must have just found my box via an IP subnet scan
> or something, but when I recently changed ISPs and IP addresses, he
> followed via my domain name.
>
> My question is this: how can I track down this guy, blacklist, or
> prevent him from breaching my defenses? Also, what should I do about
> reporting him to the authorities? Who do should I contact about this?
>
> I've tried looking up his various IPs in the whois databases to no avail
> - -- they list him as coming from Tokyo, Taiwan, South Africa, San
> Diego, etc.
>
> My server is running Debian Linux, for reference.
----
my philosophy on this has changed over time.
Unless you want to learn packet tracing as a skill, let it go. Put a
system/box up as the firewall and keep it up to date. It isn't worth the
effort. A decently skilled hacker will use other systems to cover his
tracks.
There has been a lot of activity to find systems susceptible to known
openssh exploits.
Craig
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)