[clug] Fwd: Abuse of your service by one of your customers.
Andrew Pollock
andrew-clug at andrew.net.au
Tue Mar 1 02:18:07 GMT 2005
On Tue, Mar 01, 2005 at 11:53:42AM +1100, Nigel Cunningham wrote:
> Howdy all.
>
> After so long having no passwords on my laptop, the situation finally
> changed a while ago (Got ADSL). And this morning, I became glad that I
> finally became slightly more security conscious...
>
> Who says people have no persistence nowadays? :>
>
> (And I beefed it up a bit more after this, disabling ssh access direct
> to root and password authentication).
>
I would so not bother complaining about these to the point of origin. The
machine has been 0wned, and if the ISP's abuse desk does manage to get
around to telling the customer to do something about it, it'll probably just
get 0wned again faster than you can say Windows Update.
I've been experimenting with some reactive netfilter rules, with fairly good
results (in cutting down the amount of noise in the logs related to these
attacks) and minimal collateral damage to legitimate SSH users.
http://blog.andrew.net.au/2005/02/17#ipt_recent_and_ssh_attacks
Mitigate against the problem (as you have) and move along... In my case, I was
more interested in getting the noise out of my logs as I use logwatch, and
didn't want to permanently ignore such entries.
regards
Andrew
--
linux.conf.au 2005 - http://linux.conf.au/ - Birthplace of Tux
April 18th to 23rd - http://linux.conf.au/ - LINUX
Canberra, Australia - http://linux.conf.au/ - Get bitten!
More information about the linux
mailing list