Re: The unwanted fish...
Previously Martin Fluch wrote: > I'm running unstable and (maybe) a month ago I spoted a fish swiming over > my desktop from left to right, just a small one, just once. Today again. I suspect you hit an easter egg in GNOME. Wichert. -- _ / Generally uninteresting signature - ignore at your convenience \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
Re: blocking an ip after n failed login attempts
On Wednesday 15 August 2001 11:21, David N Moore wrote: > Hi, > I have been poking around with google looking for some ideas > for a solution to this problem. Can you think of an easy way to block > all connections from a certain ip if it tries log in say 5 times and > fails? The idea being that it would stop someone from using a > dictionary-based attack if they had a user-name. > > Any input would be appreciated. > > -dave Portsentry will do this. You can specify a list of ports, and what kind of activity to block. HTH, -pete
Re: The unwanted fish...
On 16 Aug 2001 00:08:48 +0300, Martin Fluch wrote: > Hi! > > I know that this question was posted some time (some months) ago on this > list (or debian-user), but I couldn't find the answer in the mailing list > archives. > > I'm running unstable and (maybe) a month ago I spoted a fish swiming over > my desktop from left to right, just a small one, just once. Today again. > > Does anybody know where this fish is coming from? (I'm a little bit > confused, since I have never requested it and have no idea, how this > little beast comes on my desktop.) > > Thanxs for any hint :-) > > - Martin It's an easter egg of the GNOME Panel. Nothing to worry about. I *think* the details are as follows: Every time you fire up the panel, it tests a number between 1 and (some large number in the thousands) every ten minutes. When the numbers match, the fish flies across the screen. Jim Cape http://www.ignore-your.tv If the United States Government spent as much on education as it did on the military, every student could fail in a solid gold desk.
Re: blocking an ip after n failed login attempts
On Wed, 15 Aug 2001, David N Moore wrote: > Hi, > I have been poking around with google looking for some ideas > for a solution to this problem. Can you think of an easy way to block > all connections from a certain ip if it tries log in say 5 times and > fails? The idea being that it would stop someone from using a > dictionary-based attack if they had a user-name. > > Any input would be appreciated. You could use swatch. This program searching files for a given patern and then react exucting command, or just writing warning to the console. You must write a short program that create ip named files in special directory where it stores number of failed connections, if the number written to file is bigger or equal to the max_failed_connect it would execute iptables -t filter -I input -s $IP -j DROP. If this max_failed_connect is smaller it would only increase it. -- Robert Magier
Re: The unwanted fish...
Martin Fluch wrote: > I'm running unstable and (maybe) a month ago I spoted a fish swiming over > my desktop from left to right, just a small one, just once. Today again. > > Does anybody know where this fish is coming from? (I'm a little bit > confused, since I have never requested it and have no idea, how this > little beast comes on my desktop.) Sounds like the famous GNOME easter egg. I've never seen it myself, oddly. Craig
Re: The unwanted fish...
On Wednesday 15 August 2001 04:08 pm, Martin Fluch wrote: > I'm running unstable and (maybe) a month ago I spoted a fish swiming over > my desktop from left to right, just a small one, just once. Today again. > > Does anybody know where this fish is coming from? (I'm a little bit > confused, since I have never requested it and have no idea, how this > little beast comes on my desktop.) http://lists.debian.org/debian-user/2001/debian-user-200108/msg02333.html -- Bud Rogers <[EMAIL PROTECTED]> http://www.sirinet.net/~budr All things in moderation. And not too much moderation either.
Re: The unwanted fish...
From: "Martin Fluch" <[EMAIL PROTECTED]> > I'm running unstable and (maybe) a month ago I spoted a fish swiming over > my desktop from left to right, just a small one, just once. Today again. > > Does anybody know where this fish is coming from? (I'm a little bit > confused, since I have never requested it and have no idea, how this > little beast comes on my desktop.) I too saw it a time back, and I can't seem to find anything about it either in the archives or on the internet. The source of the wanda the gnome fish-applet includes some kind of random string that makes the fish swim across your desktop sometimes. I can't remember any algorithm or anything like that, but I think it was the applet, but it might be gnome itself... Read the source ;-) /bazz -- http://bazz.nu/.sig/
Re: The unwanted fish...
On Wednesday 15 August 2001 04:08 pm, Martin Fluch wrote: > I'm running unstable and (maybe) a month ago I spoted a fish swiming over > my desktop from left to right, just a small one, just once. Today again. > > Does anybody know where this fish is coming from? (I'm a little bit > confused, since I have never requested it and have no idea, how this > little beast comes on my desktop.) Do you use Gnome? There was a thread not long ago on debian-user I believe about an easter egg in Gnome that occasionally causes a fish to swim across the screen. -- Bud Rogers <[EMAIL PROTECTED]> http://www.sirinet.net/~budr All things in moderation. And not too much moderation either.
AW: blocking an ip after n failed login attempts
Hmm... If it´s that what you were looking for, try route add -host gw 127.0.0.1 That´ll blackhole it and you won´t have to modify the file for that. Michael -Ursprüngliche Nachricht- Von: Radu Florian [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 15. August 2001 23:16 An: David N Moore Cc: debian-security@lists.debian.org Betreff: Re: blocking an ip after n failed login attempts David N Moore wrote: > Hi, > I have been poking around with google looking for some ideas > for a solution to this problem. Can you think of an easy way to block > all connections from a certain ip if it tries log in say 5 times and > fails? The idea being that it would stop someone from using a > dictionary-based attack if they had a user-name. > > Any input would be appreciated. > > -dave > > > I would just add the IP address in the /etc/hosts.deny file; something like: portmap: would do the trick. Hans -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: blocking an ip after n failed login attempts
David N Moore wrote: Hi, I have been poking around with google looking for some ideas for a solution to this problem. Can you think of an easy way to block all connections from a certain ip if it tries log in say 5 times and fails? The idea being that it would stop someone from using a dictionary-based attack if they had a user-name. Any input would be appreciated. -dave I would just add the IP address in the /etc/hosts.deny file; something like: portmap: would do the trick. Hans
The unwanted fish...
Hi! I know that this question was posted some time (some months) ago on this list (or debian-user), but I couldn't find the answer in the mailing list archives. I'm running unstable and (maybe) a month ago I spoted a fish swiming over my desktop from left to right, just a small one, just once. Today again. Does anybody know where this fish is coming from? (I'm a little bit confused, since I have never requested it and have no idea, how this little beast comes on my desktop.) Thanxs for any hint :-) - Martin
Re: The unwanted fish...
Previously Martin Fluch wrote: > I'm running unstable and (maybe) a month ago I spoted a fish swiming over > my desktop from left to right, just a small one, just once. Today again. I suspect you hit an easter egg in GNOME. Wichert. -- _ / Generally uninteresting signature - ignore at your convenience \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: sshd attack?
On Wed, Aug 15, 2001 at 08:16:26PM +0100, Matthew Sackman wrote: > In fact why not just be really cruel: install the dtk (deception > toolkit) - find it at all.net - and then watch the hackers think > that they've found a vulnerable box and try to exploit it whilst > you gather enough information about them to... [fill in as necessary]. I think it's not wise to install additional software that provides some kind of network-service. dtk itself might help to compromise security. Keep it simple. Phil
Re: sshd attack?
In fact why not just be really cruel: install the dtk (deception toolkit) - find it at all.net - and then watch the hackers think that they've found a vulnerable box and try to exploit it whilst you gather enough information about them to... [fill in as necessary]. Of course all the files that they manage to steal from your system are faked, then they'll waste 2 days running a brute force cracker and will then get upset when the usernames/passwords don't work... Nice! ;-) Matthew On Wed, Aug 15, 2001 at 09:59:27AM +0200, J?rgen Persson wrote: > On Wed, Aug 15, 2001 at 09:37:51AM +0200, Siegbert Baude wrote: > > Hello, > > > > I get about 100 log entries of the following pattern: > > > > Aug 14 01:29:01 myserver sshd[27175]: Disconnecting: crc32 compensation > > attack: network attack detected > > > > > > What?s this? > > I do not know. > > > > How can I find out, from where this attack is originating? Must I increase > > the verbositiy level of sshd to achieve this? > > sshd might be able to do it. I'm logging the originating adress through > my internet services daemon. I happen to use tcpserver[1] but inetd[2] > and xinetd[3] ought to be able to do it as well. A second alternative is > to do it through a tcpwrapper like Venemas[4]. > > J?rgen > [1] http://cr.yp.to/ucspi.tcp/tcpserver.html > [2] ftp://ftp.uk.linux.org/pub/linux/Networking/netkit/ > [3] http://www.xinetd.org/ > [4] ftp://ftp.porcupine.org/pub/security/ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- Matthew Sackman Nottingham, ENGLAND Using Debian/GNU Linux Enjoying computing It said 'Required Windows XP or better.' So I installed Linux. pgp18CT4dUtfS.pgp Description: PGP signature
Re: blocking an ip after n failed login attempts
On Wednesday 15 August 2001 11:21, David N Moore wrote: > Hi, > I have been poking around with google looking for some ideas > for a solution to this problem. Can you think of an easy way to block > all connections from a certain ip if it tries log in say 5 times and > fails? The idea being that it would stop someone from using a > dictionary-based attack if they had a user-name. > > Any input would be appreciated. > > -dave Portsentry will do this. You can specify a list of ports, and what kind of activity to block. HTH, -pete -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: The unwanted fish...
On 16 Aug 2001 00:08:48 +0300, Martin Fluch wrote: > Hi! > > I know that this question was posted some time (some months) ago on this > list (or debian-user), but I couldn't find the answer in the mailing list > archives. > > I'm running unstable and (maybe) a month ago I spoted a fish swiming over > my desktop from left to right, just a small one, just once. Today again. > > Does anybody know where this fish is coming from? (I'm a little bit > confused, since I have never requested it and have no idea, how this > little beast comes on my desktop.) > > Thanxs for any hint :-) > > - Martin It's an easter egg of the GNOME Panel. Nothing to worry about. I *think* the details are as follows: Every time you fire up the panel, it tests a number between 1 and (some large number in the thousands) every ten minutes. When the numbers match, the fish flies across the screen. Jim Cape http://www.ignore-your.tv If the United States Government spent as much on education as it did on the military, every student could fail in a solid gold desk. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: blocking an ip after n failed login attempts
On Wed, 15 Aug 2001, David N Moore wrote: > Hi, > I have been poking around with google looking for some ideas > for a solution to this problem. Can you think of an easy way to block > all connections from a certain ip if it tries log in say 5 times and > fails? The idea being that it would stop someone from using a > dictionary-based attack if they had a user-name. > > Any input would be appreciated. You could use swatch. This program searching files for a given patern and then react exucting command, or just writing warning to the console. You must write a short program that create ip named files in special directory where it stores number of failed connections, if the number written to file is bigger or equal to the max_failed_connect it would execute iptables -t filter -I input -s $IP -j DROP. If this max_failed_connect is smaller it would only increase it. -- Robert Magier -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: The unwanted fish...
Martin Fluch wrote: > I'm running unstable and (maybe) a month ago I spoted a fish swiming over > my desktop from left to right, just a small one, just once. Today again. > > Does anybody know where this fish is coming from? (I'm a little bit > confused, since I have never requested it and have no idea, how this > little beast comes on my desktop.) Sounds like the famous GNOME easter egg. I've never seen it myself, oddly. Craig -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: The unwanted fish...
On Wednesday 15 August 2001 04:08 pm, Martin Fluch wrote: > I'm running unstable and (maybe) a month ago I spoted a fish swiming over > my desktop from left to right, just a small one, just once. Today again. > > Does anybody know where this fish is coming from? (I'm a little bit > confused, since I have never requested it and have no idea, how this > little beast comes on my desktop.) http://lists.debian.org/debian-user/2001/debian-user-200108/msg02333.html -- Bud Rogers <[EMAIL PROTECTED]> http://www.sirinet.net/~budr All things in moderation. And not too much moderation either. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: The unwanted fish...
From: "Martin Fluch" <[EMAIL PROTECTED]> > I'm running unstable and (maybe) a month ago I spoted a fish swiming over > my desktop from left to right, just a small one, just once. Today again. > > Does anybody know where this fish is coming from? (I'm a little bit > confused, since I have never requested it and have no idea, how this > little beast comes on my desktop.) I too saw it a time back, and I can't seem to find anything about it either in the archives or on the internet. The source of the wanda the gnome fish-applet includes some kind of random string that makes the fish swim across your desktop sometimes. I can't remember any algorithm or anything like that, but I think it was the applet, but it might be gnome itself... Read the source ;-) /bazz -- http://bazz.nu/.sig/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: The unwanted fish...
On Wednesday 15 August 2001 04:08 pm, Martin Fluch wrote: > I'm running unstable and (maybe) a month ago I spoted a fish swiming over > my desktop from left to right, just a small one, just once. Today again. > > Does anybody know where this fish is coming from? (I'm a little bit > confused, since I have never requested it and have no idea, how this > little beast comes on my desktop.) Do you use Gnome? There was a thread not long ago on debian-user I believe about an easter egg in Gnome that occasionally causes a fish to swim across the screen. -- Bud Rogers <[EMAIL PROTECTED]> http://www.sirinet.net/~budr All things in moderation. And not too much moderation either. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
AW: blocking an ip after n failed login attempts
Hmm... If it´s that what you were looking for, try route add -host gw 127.0.0.1 That´ll blackhole it and you won´t have to modify the file for that. Michael -Ursprüngliche Nachricht- Von: Radu Florian [mailto:[EMAIL PROTECTED]] Gesendet: Mittwoch, 15. August 2001 23:16 An: David N Moore Cc: [EMAIL PROTECTED] Betreff: Re: blocking an ip after n failed login attempts David N Moore wrote: > Hi, > I have been poking around with google looking for some ideas > for a solution to this problem. Can you think of an easy way to block > all connections from a certain ip if it tries log in say 5 times and > fails? The idea being that it would stop someone from using a > dictionary-based attack if they had a user-name. > > Any input would be appreciated. > > -dave > > > I would just add the IP address in the /etc/hosts.deny file; something like: portmap: would do the trick. Hans -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: blocking an ip after n failed login attempts
David N Moore wrote: > Hi, > I have been poking around with google looking for some ideas > for a solution to this problem. Can you think of an easy way to block > all connections from a certain ip if it tries log in say 5 times and > fails? The idea being that it would stop someone from using a > dictionary-based attack if they had a user-name. > > Any input would be appreciated. > > -dave > > > I would just add the IP address in the /etc/hosts.deny file; something like: portmap: would do the trick. Hans -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
The unwanted fish...
Hi! I know that this question was posted some time (some months) ago on this list (or debian-user), but I couldn't find the answer in the mailing list archives. I'm running unstable and (maybe) a month ago I spoted a fish swiming over my desktop from left to right, just a small one, just once. Today again. Does anybody know where this fish is coming from? (I'm a little bit confused, since I have never requested it and have no idea, how this little beast comes on my desktop.) Thanxs for any hint :-) - Martin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
blocking an ip after n failed login attempts
Hi, I have been poking around with google looking for some ideas for a solution to this problem. Can you think of an easy way to block all connections from a certain ip if it tries log in say 5 times and fails? The idea being that it would stop someone from using a dictionary-based attack if they had a user-name. Any input would be appreciated. -dave
Re: sshd attack?
On Wed, Aug 15, 2001 at 08:16:26PM +0100, Matthew Sackman wrote: > In fact why not just be really cruel: install the dtk (deception > toolkit) - find it at all.net - and then watch the hackers think > that they've found a vulnerable box and try to exploit it whilst > you gather enough information about them to... [fill in as necessary]. I think it's not wise to install additional software that provides some kind of network-service. dtk itself might help to compromise security. Keep it simple. Phil -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: sshd attack?
In fact why not just be really cruel: install the dtk (deception toolkit) - find it at all.net - and then watch the hackers think that they've found a vulnerable box and try to exploit it whilst you gather enough information about them to... [fill in as necessary]. Of course all the files that they manage to steal from your system are faked, then they'll waste 2 days running a brute force cracker and will then get upset when the usernames/passwords don't work... Nice! ;-) Matthew On Wed, Aug 15, 2001 at 09:59:27AM +0200, J?rgen Persson wrote: > On Wed, Aug 15, 2001 at 09:37:51AM +0200, Siegbert Baude wrote: > > Hello, > > > > I get about 100 log entries of the following pattern: > > > > Aug 14 01:29:01 myserver sshd[27175]: Disconnecting: crc32 compensation > > attack: network attack detected > > > > > > What?s this? > > I do not know. > > > > How can I find out, from where this attack is originating? Must I increase > > the verbositiy level of sshd to achieve this? > > sshd might be able to do it. I'm logging the originating adress through > my internet services daemon. I happen to use tcpserver[1] but inetd[2] > and xinetd[3] ought to be able to do it as well. A second alternative is > to do it through a tcpwrapper like Venemas[4]. > > J?rgen > [1] http://cr.yp.to/ucspi.tcp/tcpserver.html > [2] ftp://ftp.uk.linux.org/pub/linux/Networking/netkit/ > [3] http://www.xinetd.org/ > [4] ftp://ftp.porcupine.org/pub/security/ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- Matthew Sackman Nottingham, ENGLAND Using Debian/GNU Linux Enjoying computing It said 'Required Windows XP or better.' So I installed Linux. PGP signature
blocking an ip after n failed login attempts
Hi, I have been poking around with google looking for some ideas for a solution to this problem. Can you think of an easy way to block all connections from a certain ip if it tries log in say 5 times and fails? The idea being that it would stop someone from using a dictionary-based attack if they had a user-name. Any input would be appreciated. -dave -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mutt and inline gpg
/usr/share/doc/mutt/PGP-Notes.txt.gz > I am using the same procmail filter and can say that it works > perfectly for incoming pgp/gpg mails. However, this does not solve the > problem with other mail clients that want to have inline PGP messages, > and > those are many. > Is there a way to make mutt send inline PGP messages instead of the > MIME attachment form? -- Alexey
Re: sshd attack?
On Wed, Aug 15, 2001 at 09:37:51AM +0200, Siegbert Baude wrote: > Hello, > > I get about 100 log entries of the following pattern: > > Aug 14 01:29:01 myserver sshd[27175]: Disconnecting: crc32 compensation > attack: network attack detected > > > What´s this? I do not know. > How can I find out, from where this attack is originating? Must I increase > the verbositiy level of sshd to achieve this? sshd might be able to do it. I'm logging the originating adress through my internet services daemon. I happen to use tcpserver[1] but inetd[2] and xinetd[3] ought to be able to do it as well. A second alternative is to do it through a tcpwrapper like Venemas[4]. Jörgen [1] http://cr.yp.to/ucspi.tcp/tcpserver.html [2] ftp://ftp.uk.linux.org/pub/linux/Networking/netkit/ [3] http://www.xinetd.org/ [4] ftp://ftp.porcupine.org/pub/security/
Re: sshd attack?
On Wed, Aug 15, 2001 at 09:37:51AM +0200, Siegbert Baude wrote: > I get about 100 log entries of the following pattern: > > Aug 14 01:29:01 myserver sshd[27175]: Disconnecting: crc32 compensation > attack: network attack detected I got the same. Aug 14 11:46:44 nepomuk sshd[12166]: Disconnecting: crc32 compensation attack: network attack detected Aug 14 11:46:44 nepomuk sshd[12165]: Disconnecting: crc32 compensation attack: network attack detected Aug 14 11:46:44 nepomuk sshd[12167]: Connection closed by 192.167.166.229 > What´s this? An old but long fixed sshd-vulnerability. > How can I find out, from where this attack is originating? Must I increase > the verbositiy level of sshd to achieve this? Notice the last line of my logs? You should find something like this too. A simple whois will tell you more about the network the attack came from. Phil
sshd attack?
Hello, I get about 100 log entries of the following pattern: Aug 14 01:29:01 myserver sshd[27175]: Disconnecting: crc32 compensation attack: network attack detected What´s this? How can I find out, from where this attack is originating? Must I increase the verbositiy level of sshd to achieve this? Thanks in advance Siegbert
Re: Mutt and inline gpg
/usr/share/doc/mutt/PGP-Notes.txt.gz > I am using the same procmail filter and can say that it works > perfectly for incoming pgp/gpg mails. However, this does not solve the > problem with other mail clients that want to have inline PGP messages, > and > those are many. > Is there a way to make mutt send inline PGP messages instead of the > MIME attachment form? -- Alexey -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: sshd attack?
On Wed, Aug 15, 2001 at 09:37:51AM +0200, Siegbert Baude wrote: > Hello, > > I get about 100 log entries of the following pattern: > > Aug 14 01:29:01 myserver sshd[27175]: Disconnecting: crc32 compensation > attack: network attack detected > > > What´s this? I do not know. > How can I find out, from where this attack is originating? Must I increase > the verbositiy level of sshd to achieve this? sshd might be able to do it. I'm logging the originating adress through my internet services daemon. I happen to use tcpserver[1] but inetd[2] and xinetd[3] ought to be able to do it as well. A second alternative is to do it through a tcpwrapper like Venemas[4]. Jörgen [1] http://cr.yp.to/ucspi.tcp/tcpserver.html [2] ftp://ftp.uk.linux.org/pub/linux/Networking/netkit/ [3] http://www.xinetd.org/ [4] ftp://ftp.porcupine.org/pub/security/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: sshd attack?
On Wed, Aug 15, 2001 at 09:37:51AM +0200, Siegbert Baude wrote: > I get about 100 log entries of the following pattern: > > Aug 14 01:29:01 myserver sshd[27175]: Disconnecting: crc32 compensation > attack: network attack detected I got the same. Aug 14 11:46:44 nepomuk sshd[12166]: Disconnecting: crc32 compensation attack: network attack detected Aug 14 11:46:44 nepomuk sshd[12165]: Disconnecting: crc32 compensation attack: network attack detected Aug 14 11:46:44 nepomuk sshd[12167]: Connection closed by 192.167.166.229 > What´s this? An old but long fixed sshd-vulnerability. > How can I find out, from where this attack is originating? Must I increase > the verbositiy level of sshd to achieve this? Notice the last line of my logs? You should find something like this too. A simple whois will tell you more about the network the attack came from. Phil -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
sshd attack?
Hello, I get about 100 log entries of the following pattern: Aug 14 01:29:01 myserver sshd[27175]: Disconnecting: crc32 compensation attack: network attack detected What´s this? How can I find out, from where this attack is originating? Must I increase the verbositiy level of sshd to achieve this? Thanks in advance Siegbert -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]