Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Originally posted by Capt_Caveman Honestly, spending your effort hardening your system and maintaining security will be a better payoff than worrying about the best way to implement your blacklist.
I suppose it's to general of a question to ask for how you might achieve this? Maybe a top 5 list so it doesn't take forever?
Originally posted by craig34 I suppose it's to general of a question to ask for how you might achieve this? Maybe a top 5 list so it doesn't take forever?
There are a number of security checklists and HOTWOs in the Security References thread that unSpawn put together. Those will probably be a better starting framework than a top 5
Location: Nowhere Special (if you don't get it, rent Blazing Saddles)
Distribution: Gentoo Linux
Posts: 63
Rep:
yep. same thing.
Im getting the same thing as all of the rest of you...
only with mine the attacker is only trying to get the root password (with the exception of the odd jane and patrick here and there)
also, im getting this:
Code:
Sep 27 13:11:26 [sshd] error: Could not get shadow information for NOUSER
and this
Code:
Sep 27 13:11:29 [sshd] Failed password for root from 202.235.200.79 port 56337 ssh2
that's just weird. why would you ever be able to get shadow information with sshd?? how is 202.235.200.79 accessing ports that I had blocked out? this simply is not making any sense. some1 please explain. my brain hurts.
PS: 202.235.200.79 reverse DNS's to http://www.kabujouhou.com/
lol!
im being spammed by a chinese website. priceless hey by the way, if anybody can read chinese in this forum could they get back to me on what that site is?
Last edited by mangolicious; 09-30-2004 at 10:02 PM.
Location: Nowhere Special (if you don't get it, rent Blazing Saddles)
Distribution: Gentoo Linux
Posts: 63
Rep:
Truckstuff, it seems to be cleaner to use hosts.allow/deny but really, there's not much difference in between the two. whichever one you are most comfortable dealing with.
1) Make passwords long & strong, stuff like: &^bV{-)wQ17HG*dzQK?X
2) Limit sshd's accessing domains you know you don't need in hosts.deny (sshd can be compiled w/hosts_access support or put in under xinetd/inet with -i option). For example, I know that no one from China should be logging into my sshd, so:
hosts.deny:
Code:
sshd: .cn, .cn.net, .cn.com, .jp, .jp.com
3) Add line
Code:
sshd: UNKNOWN
to hosts.deny. Surprisingly, this stops alot of them but hasn't stopped any of my legit users. You can combine this rule with #2 above.
4) Make use of the AllowUser, DenyUser tags in sshd_config. Make sure you list exactly who should and who should not
login. IMO, never, ever allow root.
sshd_config:
Code:
# Explicitly set who can and who can not login by way of ssh
AllowGroups users
AllowUsers tom joe harry
# Everything that isn't above
DenyGroups root bin daemon sys adm tty disk lp mem kmem wheel floppy mail news uucp man games slocate utmp smmsp mysql rpc sshd shadow ftp nogroup console xcdwrite
DenyUsers root bin daemon adm lp sync shutdown halt mail news uucp operator games ftp smmsp mysql rpc sshd nobody test guest user admin apache www wwwrun httpd irc
5) Check into key-only ssh login. If someone doesn't have a valid key, it will be very hard to login with any password!
6) Turn up logging and watch logs carefully. Maybe limit access times too (with xinetd's port times). I completely drop traffic from known trouble networks/domains/netblocks, but this may be too extreme for some people. xinetd can do rate limit as well.
7) You can put sshd on another port, but this shouldn't be needed if all your other defense is in place. Stay up on patches and current security. Most intruders I've seen get local, then use kernel exploits like km3.c (ptrace) or do_brk(), mremap to gain root. Of those that did get root, they usually downloaded IRC stuff (bouncers, bots) and linux viruses OSF, and RST varient #2. The attackers were quite amatureuish, and left behind plenty of evidence, including bash history files, logs, and other records. Once a machine is compromised, they use it to do more. The most advanced tool that I've seen
came as a C source file, so the port could be changed. It had an extensive password list with dictionary type words. More words could be added. RST #2 contains its own backdoor. Rootkits T0rn, and SucKit were popular as well. Many of the tools came from the go.ro domain. In many cases, the admins of the attacking machines didn't know they were compromised. Several expressed gratitude when notified of the attempts, but unfortunately the norm seems to be no response (at least in the cases I've reported myself).
As far as using hosts based access for iptables, I'd say go for both: knock out as much trouble spots as you can with each tool, because they work slightly different. For example, I may not need to allow sshd login from a certain domain, but I do want to be able to send and receive mail with it; so I can't drop it completely. With hosts based access you can give rules to just one daemon, or all.
floppywhopper here again
Smoothwall reports that
not only am I getting this SSH bulls**t
but also attempts against port 901 ( SWAT )
yesterday 6 pages of crap in the firewall logs
today some f***kwit from japan having a go
up to 8 times per minute
and I'm only on dial-up
I feel sorry for guys on ADSL or similar where youre connected 24/7
no wonder the internet is so slow
These are getting worse. This recent one, yesterday's, is the most advanced tool I've had used against my system. It happended while I was away; the attacker ran a bruteforce attack for about 12 minutes, using not only the usual "test" "guest" junk, but also some UID's I'm sure somebody is likely to have. I'm really glad that I make use of the AllowUsers and DenyUsers tags in sshd_config! 4.28.181.157 (wbar24.tmp1-4.28.181.157.tmp1.dsl-verizon.net), a linux machine estamated thru passive OS fingering to be a 2.6.8 and up for 1106 hours, was the attacker. The ISP was notified, but all I've got back so far is a form-letter and a case number.
Code:
Oct 4 11:23:50 atr2 sshd[3228]: Generating 768 bit RSA key.
Oct 4 11:23:50 atr2 sshd[3228]: RSA key generation complete.
Oct 4 11:23:51 atr2 sshd[3228]: Connection from 4.28.181.157 port 37387
Oct 4 11:23:51 atr2 sshd[3228]: Did not receive identification string from 4.28.181.157
Oct 4 11:32:39 atr2 sshd[3230]: Generating 768 bit RSA key.
Oct 4 11:32:40 atr2 sshd[3230]: RSA key generation complete.
Oct 4 11:32:41 atr2 sshd[3230]: Connection from 4.28.181.157 port 49500
Oct 4 11:32:45 atr2 sshd[3230]: User nobody not allowed because listed in DenyUsers
Oct 4 11:32:45 atr2 sshd[3230]: Failed password for invalid user nobody from 4.28.181.157 port 49500 ssh2
Oct 4 11:32:47 atr2 sshd[3233]: Generating 768 bit RSA key.
Oct 4 11:32:48 atr2 sshd[3233]: RSA key generation complete.
Oct 4 11:32:49 atr2 sshd[3233]: Connection from 4.28.181.157 port 49608
Oct 4 11:32:52 atr2 sshd[3233]: Invalid user patrick from 4.28.181.157
Oct 4 11:32:52 atr2 sshd[3233]: Failed password for invalid user patrick from 4.28.181.157 port 49608 ssh2
Oct 4 11:32:53 atr2 sshd[3236]: Generating 768 bit RSA key.
Oct 4 11:32:54 atr2 sshd[3236]: RSA key generation complete.
Oct 4 11:32:54 atr2 sshd[3236]: Connection from 4.28.181.157 port 49710
Oct 4 11:32:58 atr2 sshd[3236]: Invalid user patrick from 4.28.181.157
Oct 4 11:32:58 atr2 sshd[3236]: Failed password for invalid user patrick from 4.28.181.157 port 49710 ssh2
Oct 4 11:32:59 atr2 sshd[3239]: Generating 768 bit RSA key.
Oct 4 11:33:00 atr2 sshd[3239]: RSA key generation complete.
Oct 4 11:33:01 atr2 sshd[3239]: Connection from 4.28.181.157 port 49783
Oct 4 11:33:04 atr2 sshd[3239]: User root not allowed because listed in DenyUsers
Oct 4 11:33:04 atr2 sshd[3239]: Failed password for invalid user root from 4.28.181.157 port 49783 ssh2
Oct 4 11:33:06 atr2 sshd[3242]: Generating 768 bit RSA key.
Oct 4 11:33:07 atr2 sshd[3242]: RSA key generation complete.
Oct 4 11:33:08 atr2 sshd[3242]: Connection from 4.28.181.157 port 49894
Oct 4 11:33:11 atr2 sshd[3242]: User root not allowed because listed in DenyUsers
Oct 4 11:33:11 atr2 sshd[3242]: Failed password for invalid user root from 4.28.181.157 port 49894 ssh2
Oct 4 11:33:13 atr2 sshd[3245]: Generating 768 bit RSA key.
Oct 4 11:33:15 atr2 sshd[3245]: RSA key generation complete.
Oct 4 11:33:16 atr2 sshd[3245]: Connection from 4.28.181.157 port 50040
Oct 4 11:33:21 atr2 sshd[3245]: User root not allowed because listed in DenyUsers
Oct 4 11:33:21 atr2 sshd[3245]: Failed password for invalid user root from 4.28.181.157 port 50040 ssh2
Oct 4 11:33:22 atr2 sshd[3248]: Generating 768 bit RSA key.
Oct 4 11:33:23 atr2 sshd[3248]: RSA key generation complete.
Oct 4 11:33:23 atr2 sshd[3248]: Connection from 4.28.181.157 port 50208
Oct 4 11:33:28 atr2 sshd[3248]: User root not allowed because listed in DenyUsers
Oct 4 11:33:28 atr2 sshd[3248]: Failed password for invalid user root from 4.28.181.157 port 50208 ssh2
Oct 4 11:33:30 atr2 sshd[3251]: Generating 768 bit RSA key.
Oct 4 11:33:31 atr2 sshd[3251]: RSA key generation complete.
Oct 4 11:33:31 atr2 sshd[3251]: Connection from 4.28.181.157 port 50314
Oct 4 11:33:34 atr2 sshd[3251]: User root not allowed because listed in DenyUsers
Oct 4 11:33:34 atr2 sshd[3251]: Failed password for invalid user root from 4.28.181.157 port 50314 ssh2
Oct 4 11:33:36 atr2 sshd[3254]: Generating 768 bit RSA key.
Oct 4 11:33:37 atr2 sshd[3254]: RSA key generation complete.
Oct 4 11:33:37 atr2 sshd[3254]: Connection from 4.28.181.157 port 50419
Oct 4 11:33:40 atr2 sshd[3254]: Invalid user rolo from 4.28.181.157
Oct 4 11:33:40 atr2 sshd[3254]: Failed password for invalid user rolo from 4.28.181.157 port 50419 ssh2
Oct 4 11:33:41 atr2 sshd[3257]: Generating 768 bit RSA key.
Oct 4 11:33:42 atr2 sshd[3257]: RSA key generation complete.
Oct 4 11:33:43 atr2 sshd[3257]: Connection from 4.28.181.157 port 50527
Oct 4 11:33:46 atr2 sshd[3257]: Invalid user iceuser from 4.28.181.157
Oct 4 11:33:46 atr2 sshd[3257]: Failed password for invalid user iceuser from 4.28.181.157 port 50527 ssh2
Oct 4 11:33:47 atr2 sshd[3260]: Generating 768 bit RSA key.
Oct 4 11:33:48 atr2 sshd[3260]: RSA key generation complete.
Oct 4 11:33:48 atr2 sshd[3260]: Connection from 4.28.181.157 port 50628
Oct 4 11:33:52 atr2 sshd[3260]: Invalid user horde from 4.28.181.157
Oct 4 11:33:52 atr2 sshd[3260]: Failed password for invalid user horde from 4.28.181.157 port 50628 ssh2
Oct 4 11:33:53 atr2 sshd[3263]: Generating 768 bit RSA key.
Oct 4 11:33:54 atr2 sshd[3263]: RSA key generation complete.
Oct 4 11:33:54 atr2 sshd[3263]: Connection from 4.28.181.157 port 50729
Oct 4 11:33:57 atr2 sshd[3263]: Invalid user cyrus from 4.28.181.157
Oct 4 11:33:57 atr2 sshd[3263]: Failed password for invalid user cyrus from 4.28.181.157 port 50729 ssh2
Oct 4 11:33:58 atr2 sshd[3266]: Generating 768 bit RSA key.
Oct 4 11:33:59 atr2 sshd[3266]: RSA key generation complete.
Oct 4 11:33:59 atr2 sshd[3266]: Connection from 4.28.181.157 port 50788
Oct 4 11:34:02 atr2 sshd[3266]: Invalid user www from 4.28.181.157
Oct 4 11:34:02 atr2 sshd[3266]: Failed password for invalid user www from 4.28.181.157 port 50788 ssh2
Oct 4 11:34:04 atr2 sshd[3269]: Generating 768 bit RSA key.
Oct 4 11:34:04 atr2 sshd[3269]: RSA key generation complete.
Oct 4 11:34:05 atr2 sshd[3269]: Connection from 4.28.181.157 port 50868
Oct 4 11:34:07 atr2 sshd[3269]: Invalid user wwwrun from 4.28.181.157
Oct 4 11:34:07 atr2 sshd[3269]: Failed password for invalid user wwwrun from 4.28.181.157 port 50868 ssh2
Oct 4 11:34:09 atr2 sshd[3272]: Generating 768 bit RSA key.
Oct 4 11:34:10 atr2 sshd[3272]: RSA key generation complete.
Oct 4 11:34:10 atr2 sshd[3272]: Connection from 4.28.181.157 port 50945
Oct 4 11:34:13 atr2 sshd[3272]: Invalid user matt from 4.28.181.157
Oct 4 11:34:13 atr2 sshd[3272]: Failed password for invalid user matt from 4.28.181.157 port 50945 ssh2
Oct 4 11:34:14 atr2 sshd[3275]: Generating 768 bit RSA key.
Oct 4 11:34:15 atr2 sshd[3275]: RSA key generation complete.
Oct 4 11:34:16 atr2 sshd[3275]: Connection from 4.28.181.157 port 51021
Oct 4 11:34:19 atr2 sshd[3275]: Invalid user test from 4.28.181.157
Oct 4 11:34:19 atr2 sshd[3275]: Failed password for invalid user test from 4.28.181.157 port 51021 ssh2
Oct 4 11:34:20 atr2 sshd[3278]: Generating 768 bit RSA key.
Oct 4 11:34:20 atr2 sshd[3278]: RSA key generation complete.
Oct 4 11:34:21 atr2 sshd[3278]: Connection from 4.28.181.157 port 51099
Oct 4 11:34:24 atr2 sshd[3278]: Invalid user test from 4.28.181.157
Oct 4 11:34:24 atr2 sshd[3278]: Failed password for invalid user test from 4.28.181.157 port 51099 ssh2
Oct 4 11:34:26 atr2 sshd[3281]: Generating 768 bit RSA key.
Oct 4 11:34:27 atr2 sshd[3281]: RSA key generation complete.
Oct 4 11:34:28 atr2 sshd[3281]: Connection from 4.28.181.157 port 51186
Oct 4 11:34:30 atr2 sshd[3281]: Invalid user test from 4.28.181.157
Oct 4 11:34:30 atr2 sshd[3281]: Failed password for invalid user test from 4.28.181.157 port 51186 ssh2
Oct 4 11:34:32 atr2 sshd[3284]: Generating 768 bit RSA key.
Oct 4 11:34:32 atr2 sshd[3284]: RSA key generation complete.
Oct 4 11:34:33 atr2 sshd[3284]: Connection from 4.28.181.157 port 51276
Oct 4 11:34:36 atr2 sshd[3284]: Invalid user test from 4.28.181.157
Oct 4 11:34:36 atr2 sshd[3284]: Failed password for invalid user test from 4.28.181.157 port 51276 ssh2
Oct 4 11:34:37 atr2 sshd[3287]: Generating 768 bit RSA key.
Oct 4 11:34:38 atr2 sshd[3287]: RSA key generation complete.
Oct 4 11:34:39 atr2 sshd[3287]: Connection from 4.28.181.157 port 51353
Oct 4 11:34:41 atr2 sshd[3287]: Invalid user www-data from 4.28.181.157
Oct 4 11:34:41 atr2 sshd[3287]: Failed password for invalid user www-data from 4.28.181.157 port 51353 ssh2
Oct 4 11:34:43 atr2 sshd[3290]: Generating 768 bit RSA key.
Oct 4 11:34:44 atr2 sshd[3290]: RSA key generation complete.
Oct 4 11:34:44 atr2 sshd[3290]: Connection from 4.28.181.157 port 51434
Oct 4 11:34:47 atr2 sshd[3290]: User mysql not allowed because listed in DenyUsers
Oct 4 11:34:47 atr2 sshd[3290]: Failed password for invalid user mysql from 4.28.181.157 port 51434 ssh2
Oct 4 11:34:49 atr2 sshd[3293]: Generating 768 bit RSA key.
Oct 4 11:34:50 atr2 sshd[3293]: RSA key generation complete.
Oct 4 11:34:50 atr2 sshd[3293]: Connection from 4.28.181.157 port 51521
Oct 4 11:34:53 atr2 sshd[3293]: User operator not allowed because listed in DenyUsers
Oct 4 11:34:53 atr2 sshd[3293]: Failed password for invalid user operator from 4.28.181.157 port 51521 ssh2
Oct 4 11:34:55 atr2 sshd[3296]: Generating 768 bit RSA key.
Oct 4 11:34:55 atr2 sshd[3296]: RSA key generation complete.
Oct 4 11:34:56 atr2 sshd[3296]: Connection from 4.28.181.157 port 51591
Oct 4 11:34:59 atr2 sshd[3296]: User adm not allowed because listed in DenyUsers
Oct 4 11:34:59 atr2 sshd[3296]: Failed password for invalid user adm from 4.28.181.157 port 51591 ssh2
Oct 4 11:35:00 atr2 sshd[3299]: Generating 768 bit RSA key.
Oct 4 11:35:01 atr2 sshd[3299]: RSA key generation complete.
Oct 4 11:35:01 atr2 sshd[3299]: Connection from 4.28.181.157 port 51676
Oct 4 11:35:04 atr2 sshd[3299]: Invalid user apache from 4.28.181.157
Oct 4 11:35:04 atr2 sshd[3299]: Failed password for invalid user apache from 4.28.181.157 port 51676 ssh2
Oct 4 11:35:06 atr2 sshd[3302]: Generating 768 bit RSA key.
Oct 4 11:35:07 atr2 sshd[3302]: RSA key generation complete.
Oct 4 11:35:09 atr2 sshd[3302]: Connection from 4.28.181.157 port 51744
Oct 4 11:35:11 atr2 sshd[3302]: Invalid user irc from 4.28.181.157
Oct 4 11:35:11 atr2 sshd[3302]: Failed password for invalid user irc from 4.28.181.157 port 51744 ssh2
Oct 4 11:35:13 atr2 sshd[3305]: Generating 768 bit RSA key.
Oct 4 11:35:14 atr2 sshd[3305]: RSA key generation complete.
Oct 4 11:35:15 atr2 sshd[3305]: Connection from 4.28.181.157 port 51846
Oct 4 11:35:18 atr2 sshd[3305]: Invalid user irc from 4.28.181.157
Oct 4 11:35:18 atr2 sshd[3305]: Failed password for invalid user irc from 4.28.181.157 port 51846 ssh2
Oct 4 11:35:20 atr2 sshd[3308]: Generating 768 bit RSA key.
Oct 4 11:35:21 atr2 sshd[3308]: RSA key generation complete.
Oct 4 11:35:22 atr2 sshd[3308]: Connection from 4.28.181.157 port 51946
Oct 4 11:35:25 atr2 sshd[3308]: User adm not allowed because listed in DenyUsers
Oct 4 11:35:25 atr2 sshd[3308]: Failed password for invalid user adm from 4.28.181.157 port 51946 ssh2
Oct 4 11:35:27 atr2 sshd[3311]: Generating 768 bit RSA key.
Oct 4 11:35:27 atr2 sshd[3311]: RSA key generation complete.
Oct 4 11:35:28 atr2 sshd[3311]: Connection from 4.28.181.157 port 52036
Oct 4 11:35:31 atr2 sshd[3311]: User root not allowed because listed in DenyUsers
Oct 4 11:35:31 atr2 sshd[3311]: Failed password for invalid user root from 4.28.181.157 port 52036 ssh2
Oct 4 11:35:33 atr2 sshd[3315]: Generating 768 bit RSA key.
Oct 4 11:35:33 atr2 sshd[3315]: RSA key generation complete.
Oct 4 11:35:34 atr2 sshd[3315]: Connection from 4.28.181.157 port 52118
Oct 4 11:35:41 atr2 sshd[3315]: User root not allowed because listed in DenyUsers
Oct 4 11:35:41 atr2 sshd[3315]: Failed password for invalid user root from 4.28.181.157 port 52118 ssh2
# nmap 3.70 scan initiated Mon Oct 4 12:08:37 2004 as: nmap -sT -T4 -n -oN ssh-attack.log --append_output -P0 4.28.181.157
Interesting ports on 4.28.181.157:
(The 1655 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
1723/tcp closed pptp
5190/tcp closed aol
8080/tcp open http-proxy
# Nmap run completed at Mon Oct 4 12:10:05 2004 -- 1 IP address (1 host up) scanned in 88.233 seconds
My point in posting this is that they are using UID's other than "test" and "guest", and it's very likely that someone who reads this will have one of the mentioned user-id's unsecured: apache, mysql, adm, www, wwwrun, root, operator, www-date, and a few others. I have no idea where he got the names "horde" and "patrick" from. I have no users by those names.
I have a bad feeling that this was an unsecured proxy server (allowing CONNECT), so likely nothing will happen to this guy; he's probably trying someone else's account now. But he didn't get in here.
Strangely enough, I've begun to notice a huge slowdown in SSH attempts on my server. Actually had none yesterday... possibly the calm before the storm? Hopefully not since I'm away this weekend.
Originally posted by craig34 Strangely enough, I've begun to notice a huge slowdown in SSH attempts on my server. Actually had none yesterday... possibly the calm before the storm? Hopefully not since I'm away this weekend.
Ditto here. They all seemed to stop on Sunday for me. I came into work Monday morning and was astonished that there were none of these attempts at all on Sunday. Monday and Tuesday were also slow.
Interesting ports on 4.28.181.157:
(The 1655 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
1723/tcp closed pptp
5190/tcp closed aol
8080/tcp open http-proxy
# Nmap run completed at Mon Oct 4 12:10:05 2004 -- 1 IP address (1 host up) scanned in 88.233 seconds
I'd be careful using nmap outside of your network. ISPs have been known to ban/blacklist without question for this type of activity.
quote:Originally posted by TruckStuff
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Except I beat my head against the wall for 2 weeks a few months ago trying to get private key auth working with SSHD.
At any rate, I've been seeing these attempts in my logs for the last few weeks. Just figured it was some stupid skiddie; guess I was right.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
put your private key into the remote system in a file called authorized_keys.
1) Check if you have a .ssh directory
ssh user@remotehost 'ls -l .ssh'
2) If not:
ssh user@remotehost 'mkdir .ssh'
3) Copy your public key
scp $HOME/.ssh/id_rsa.pub user@remotehost:.ssh/authorized_keys
NOTE: if the .ssh directory and the authorized_keys file already exist and the remote system / account are shared or you access user@remotehost from more than one machine then do the following:
scp $HOME/.ssh/id_rsa.pub user@remotehost:.
then
ssh user@remobehost 'cat id_rsa.pub >> .ssh/authoized_keys' to append to rather than overwrite the authorized_keys file.
Truck stuff said
.... ISPs have been known to ban/blacklist without question for this type of activity
not necessarily !!
here in Australia its apparently not illegal to do these sorts of scans
only illegal to actually break in to the system
at least that is what my ISP said
however when I showed them 2 days worth of logs
the activity stopped ( they were another customer of my ISP )
It seems strange that you can get arrested here for attempting to break and enter a house
but not attempting to break and enter via the internet
however it may be a breach of the ISP service agreement
in which case you're in luck
if they can be bothered to do anything about it
or even if they are bright enough to understand what was going on
A friend of mine was cracked
cos the ISP was cracked
they used my friend to spam everybody in the universe
and the ISP is like "duh... nope, not our problem"
ISP run by Homer-Simpson-clone rejects
I guess the moral to this story is to run a tightly locked down system
live long and prosper
floppywhopper
Last edited by floppywhopper; 10-08-2004 at 07:05 PM.
Hm. No reply from the network in question on that ssh attempt I posted above. Somehow it doesn't surprise me. I had hoped I'd have gotten at least a "yeah, it was a unsecured proxy, we fixed it/told them to fix it/put it offline", or something. As far as scanning goes, I do it when I get connections to my host that are more than just "noise", as a way to try and gadge what might be occuring. I don't do it repeatedly, or to hosts without them contacting me first. I don't really mind it done to my host either, as long as it's not a precursor to an attack of some sort. I see it as the cyberspace equal of peeking out of the peephole some doors have at the people in the hall way. I tend to think that if an entire 12-minute long bruteforce login attempt went noticed by that ISP, even after several letters where sent to them w/logs pointing it out, then they can't be too concerned with one scan.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
