I have a FC2 machine exposed to the Internet, supporting web, ftp, ssh and a few other functions. Each day I read the logs and see one or two visitors trying to log into ssh as "admin", "guest", "test" and "user" with one try each with a password and one without. The IP address is always different, but the fact that the pattern of names and attempts is always the same suggests script kiddies.
I manually add the IP address to an iptables chain so that all future packets from that address are dropped.
You are not the only one. I see the same thing on the box I administer for work. Every time a different IP and they never try more then once each. It's not every day, but often enough that I have taken notice.
For a while, i was looking up the addresses and sending email to their local abuse@ website, but that got to be too much work.
Anyone have a suggestion re:
1) are these appropriate actions to take?
I would say yes. This is definitely appropriate.
2) is there any easier way to do it?
Normally, I tell people to install Portsentry, which will make the blocking automatic if you are portscanned, but as this script is checking ports you have open, it won't be useful here. You might try installing it any way. I've been VERY happy with the added security it affords me, even if the list of blocked IP's is now several KB.
3) is there something else I ought to be doing?
Not unless you can close off these services. Someone else may have more ideas, but it sounds like you are doing just what you should be doing.
Brian
-- --------------------------------------------------------------- | [EMAIL PROTECTED] http://www.hirebrian.net | | Simply the Best IT/MIS Manager | | Self-taught, Fast Learner, and Team Player | | Ready to Start TODAY at Your Company. | --------------------------------------------------------------- _______________________________________________ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
