On 10/03/2005 09:00 pm, Jared Hall wrote: > I took care of it all last night a couple of minutes after I posted. > Here's what I did. > > I looked at my logs and found that there was no successful root login. > the reason netstat was showing another root connection from the > mentioned ip is that the script kiddie was rapidly connecting to my > sshd service and trying to crack root, and a whole bunch of > nonexistent users. This machine only has two accounts on it, root, > and my own. Both have extremely complicated passwords, so there's no > way a script could have guessed it anyway. I couldn't kill the user > because the connections were opening and closing too quickly. I > blocked the ip using /etc/hosts.deny on each of my servers. The kids > were looking at each of my ip's trying to find vulnerabilities... but > not anymore. I sent to and email to [EMAIL PROTECTED] to let the > administrator know that one of their users is using scripts to attack > servers over ssh (possibly using a mix of names from some of my mail > user accounts and common names). I'm waiting for a reply still. > thanks for the input. > Jared
Do you know for sure that /etc/hosts.deny has anything to do with ssh? I thought /etc/hosts.deny would only work with services that run from inetd or xinetd, not with daemons. 8) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
