Hi Ted, On 2015-09-23 Wed 13:51 PM |, Ted Unangst wrote: > > > > Zombies are often attacking ports which don't have services running, > > such as telnet (most popular indeed....), mysql, 3551, 8080, 13272, etc. > > > > block log those ports, then process the log file? >
Running tcpdump was my first thought too, via an rc.d started script, but I wasn't too keen on having that running all the time. Ta. -- An elephant is a mouse with an operating system.