Adam Hardy wrote:
One routine check that I do on my webserver to check it's OK is
netstat, and this time it looks like I was under attack from some
muppet out there via what seems to be a brute force attempt to crack
my ssh login.
(We're all seeing this all the time.)
Trying to understand the info, what is the foreign address - is that
the attacker's domain name: 59-124-248-196.HI ? If so, how come it's
this weird format? And what's 59-124-248-19:dircproxy? And how come so
many listed connections have no PID? Are they just abandoned login
attempts?
(Those are truncated displays for reverse lookups of ip's. And I'm too
lazy to check about this pid thing. Just use decent passwords (or ssh
key logins only) for your accounts (and possibly configure sshd to
prohibit logins to any users than those which should have access), then
you're safe.)
I ran nmap from my home pc to see whether there were any unrecognised
ports open that might have been opened up if the cracker had got it,
and i see a couple of ports that show as filtered:
1720/tcp filtered H.323/Q.931
"filtered" just means that you don't get replies from those ports (it's
typically a firewall that DROP's packages instead of REJECT'ing them).
If it's tcp, this means you cannot create a connection to this port. You
have to find out where this package filter resides (also check
"iptables-save" from within that machine).
Christian.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
