On 10/24/2011 6:08 PM, William Myers wrote:
I'm seeing the same thing from the same IP adresses.
William Myers
Associate Professor, Computer Studies
100 Belmont-Mount Holly Road
Belmont Abbey College
Belmont, NC 28012-1802
(704) 461-6823
FAX: (704) 461-5051
my...@crusader.bac.edu
On Sat, 22 Oct 2011, Admin ValhallaProjectet wrote:
Hello all
FreeBSD odin.thorshammare.org 8.2-STABLE FreeBSD 8.2-STABLE #0: Sat
Oct 22
10:14:48 CEST 2011 ha...@odin.thorshammare.org:/usr/obj/usr/src/sys/ODIN
i386
Firewall PF.
Blocking China and some other related countries in that region.
Disabled ssh root logins
Apparently, I'm under some kind of attack, for the last 3 days.
Lots of attempts to ssh in as root from many different IP addresses.
No bruteforce attempts.
This just puzzles me. Using all these resources ? To achieve what ?
Below is a one hour snip from my auth.log
Nothing unusual in pflog
Appreciate all ideas of how to proceed with this mather.
Best regards Hasse
*SNIP*
I wouldn't worry much about this personally; It looks like bots. Have
you patched everything? Have you considered moving SSH and other known
ports to different ports?
Most canned exploits are going to use common methods. Therefore, if you
patch your system, and move all services running to a non standard port,
a lot of things no longer work. It's sort of like changing your system
around in Windows to kill off most viruses that are coded in a manner
that, simply moving directories around, completely disables their
ability to work.
Basically; Patch your system, and keep it updated with security and bug
fixes; Change the Ports used by services to non standard ones. Don't
ever allow root to log in remotely, and keep your filters running. Once
you change the ports; Most exploits and bots cease to function, so you
don't really have to worry much about it.
I know of some people who actually just block all traffic except what
they want allowed, and even then, they've got it running on none
standard ports, and they block all of China, and even though I consider
it a little racist to do that, they say it works well.
-Allen
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
