Re: Is there any data base collecting data on breakin attempts?
Check out https://dshield.org/howto.html for a central place to submit attempts... Some useful pages: https://dshield.org/reports.html https://dshield.org/sources.html As many sources can be anonymous, it's easy for hosts to be on someones lists from either spoofed or replies to spoofed ips, etc... and so shouldn't be used as a blacklist, at least not exclusively. (ie: wouldn't want to block port 80 based on this for a public web server) - Original Message - > From: "hansel" > To: SCIENTIFIC-LINUX-USERS@FNAL.GOV > Sent: Sunday, February 8, 2015 12:41:56 PM > Subject: Is there any data base collecting data on breakin attempts? > > I accept it as normal many (upwards of several thousand) daily root > breaking attempts. My defense is careful sshd configuration and > restrictive incoming router firewall. > > Does anyone mantain a database of consistently offending sites (maybe > a > news source, such as politico or propublica)? Initial use of whois > and dig > for a few returned familiar countries of origin, coutries that may > encourage or even sponsor some attempts. > > I searched the archive for "breakin" and "failed" with an without > subject > line qualifiers (like "root") and found nothing. > > Thank you. > mark hansel >
RE: Is there any data base collecting data on breakin attempts?
Mark, not a direct answer to your question but you could run 'fail2ban'. This will log and blacklist failed login attempts, the time the blacklist is valid for is tuneable. Maybe not what you asked for, but might help you. ***Viglen*** Viglen Ltd, Registered in England No 1208441. Registered Office: 7, Handley Page Way, Colney Street, St. Albans, Hertfordshire AL2 2DQ. Information in this electronic mail message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient any use, disclosure, copying or distribution of this message is prohibited and may be unlawful. When addressed to our customers, any information contained in this message is subject to Viglen Terms & Conditions. Please rely on your own virus checker and procedures with regard to any attachment to this message. ***Viglen*** __ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com __
Re: Is there any data base collecting data on breakin attempts?
Well the answer is yes there are for things like email and other specific services. These are lists you generally pay to get access to the reason being it takes a lot of constant work to maintain them. Your best bet though is to run snort and possibly a console like base (just search "snort base" you should find it quickly) If you are really brave and paranoid you can also run snort "inline" in your firewall; however I don't know of any one who has ever done that in a production environment. Snort in inline mode links into iptables and or a squid proxy and will acctivly drop and log any thing it finds objectionable. The problem is untill it's tuned correctly snort tends to find every thing it sees objectionable. The other thing you can do is log monitoring on a central syslog server. In the past Red Hat use to install logwatch on every host resulting in a deluge of daily email reports which were annoying. But if you run logwatch on a central syslog server and you actually tune the settings logwatch becomes your best friend because it will give you an easy to read daily report encompassing you're entire infrastructure. Sent from my BlackBerry 10 smartphone. Original Message From: hansel Sent: Monday, February 9, 2015 09:57 To: SCIENTIFIC-LINUX-USERS@FNAL.GOV Subject: Is there any data base collecting data on breakin attempts? I accept it as normal many (upwards of several thousand) daily root breaking attempts. My defense is careful sshd configuration and restrictive incoming router firewall. Does anyone mantain a database of consistently offending sites (maybe a news source, such as politico or propublica)? Initial use of whois and dig for a few returned familiar countries of origin, coutries that may encourage or even sponsor some attempts. I searched the archive for "breakin" and "failed" with an without subject line qualifiers (like "root") and found nothing. Thank you. mark hansel
Is there any data base collecting data on breakin attempts?
I accept it as normal many (upwards of several thousand) daily root breaking attempts. My defense is careful sshd configuration and restrictive incoming router firewall. Does anyone mantain a database of consistently offending sites (maybe a news source, such as politico or propublica)? Initial use of whois and dig for a few returned familiar countries of origin, coutries that may encourage or even sponsor some attempts. I searched the archive for "breakin" and "failed" with an without subject line qualifiers (like "root") and found nothing. Thank you. mark hansel