From owner-freebsd-hackers@FreeBSD.ORG Thu Dec 16 09:14:02 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9507316A4CE for ; Thu, 16 Dec 2004 09:14:02 +0000 (GMT) Received: from mail06.syd.optusnet.com.au (mail06.syd.optusnet.com.au [211.29.132.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id DF46A43D3F for ; Thu, 16 Dec 2004 09:14:01 +0000 (GMT) (envelope-from PeterJeremy@optushome.com.au) Received: from cirb503493.alcatel.com.au (c211-30-75-229.belrs2.nsw.optusnet.com.au [211.30.75.229]) iBG9DqLq026924 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Thu, 16 Dec 2004 20:13:54 +1100 Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1])iBG9DqxP092024; Thu, 16 Dec 2004 20:13:52 +1100 (EST) (envelope-from pjeremy@cirb503493.alcatel.com.au) Received: (from pjeremy@localhost)iBG9DpuF092023; Thu, 16 Dec 2004 20:13:51 +1100 (EST) (envelope-from pjeremy) Date: Thu, 16 Dec 2004 20:13:51 +1100 From: Peter Jeremy To: John Von Essen Message-ID: <20041216091351.GD91817@cirb503493.alcatel.com.au> References: <20041215184645.B79679@beck.quonix.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041215184645.B79679@beck.quonix.net> User-Agent: Mutt/1.4.2i cc: hackers@freebsd.org Subject: Re: brute3.tar.gz X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Dec 2004 09:14:02 -0000 On Wed, 2004-Dec-15 18:55:20 -0500, John Von Essen wrote: >Whatever this thing is, its tricky. It only runs a few times a day, so it >is tough to find the culprit source with ethereal unless I run ethereal >all day. In packet capture mode. Depending on how much disk space you have spare on your firewall and how much ssh traffic you get normally, running "tcpdump -w ... port 22" for a day or so may be feasible. You can add the target boxes address to the filter and you won't get anything except the culprit address. (Of course, permanently running tcpdump may or may not be practical for other reasons). -- Peter Jeremy