Date: Wed, 6 Apr 2005 11:28:11 -0500 From: Dan Rue <drue@therub.org> To: Martin McCormick <martin@dc.cis.okstate.edu> Cc: freebsd-security@freebsd.org Subject: Re: What is this Very Stupid DOS Attack Script? Message-ID: <20050406162811.GQ1019@therub.org> In-Reply-To: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> References: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 06, 2005 at 10:49:08AM -0500, Martin McCormick wrote: > We have been noticing flurries of sshd reject messages in > which some system out there in the hinterlands hits us with a flood of > ssh login attempts. An example: > > Apr 6 05:49:42 dc sshd[12406]: Failed password for illegal user > bruce from 67.19.58.170 port 32983 ssh2 In my experience, these are just script kiddies goofing around. The only useful thing to do is to report them to abuse@ their ISP - this can actually be effective in some cases. $ whois 67.19.58.170 OrgName: ThePlanet.com Internet Services, Inc. OrgID: TPCM Address: 1333 North Stemmons Freeway Address: Suite 110 City: Dallas StateProv: TX PostalCode: 75207 Country: US ... OrgAbuseHandle: ABUSE271-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-214-782-7802 OrgAbuseEmail: abuse@theplanet.com I'm sure his ISP would like to know about his behavior - send them a report of his attempts. Often in my opinion it's some 13 year old who doesn't realize he's not anonymous on the internet. It quickly becomes a tedious and thankless job, but it's the best weapon you have imo. Also, I find on some systems it's nice to do whitelisting with hosts.allow to only allow connectinos from certain addresses. Obviously that is not a solution for every system, but it can work well for some. Dan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050406162811.GQ1019>