[TriLUG] list newbie has stuff to give away (gmail type stuff)

Shane O'Donnell shaneo at nc.rr.com
Tue Aug 24 11:39:48 EDT 2004


OK - First a disclaimer (so Mike J. doesn't jump on me for advancing this
idea as TRUE security):  This is a reasonably easily sniffed-and-evaded
security-through-obscurity mechanism, but it should work to help eliminate
these random attacks on your system.

Port Knocking (as discussed in Linux Journal and SysAdmin in June 2003) is
an interesting approach to attempting to access open ports via the wild
wooly Internet without always having listeners up.  Of course, this will
require either a Linux/*BSD firewall, or at least having your system
config'd as a DMZ host (for the Linksys/NetGear/et al families of routers),
but it might prove helpful.

http://www.portknocking.org/

Enjoy!

Shane O.

-----Original Message-----
From: trilug-bounces at trilug.org [mailto:trilug-bounces at trilug.org] On Behalf
Of Mike Johnson
Sent: Tuesday, August 24, 2004 10:27 AM
To: Triangle Linux Users Group discussion list
Subject: Re: [TriLUG] list newbie has stuff to give away (gmail type stuff)

James Lloyd Beidler [james at layyze.com] wrote:
>   Point well taken (BTW, I also have RR).  On second inspection I noticed
> that I only got repeat IPs once or twice.  Also, a whois tells me that
> they are coming from China, Korea, Nicaragua, and Brazil (except for the
> repeats, which all came from Shaw cable customers).  The methodical
> request for the same 5 or so usernames makes me think that this is the
> work of some script.  I should update my offer to say that anyone that
> has any good ideas on how to deal with this can get the gmail invite (if
> you want it).

My advice is to simply ignore it.  It's not worth the time and effort to
code up something that will likely false positive on you.  Here's some
information on what you're seeing:
http://isc.sans.org/diary.php?date=2004-08-22
And read the messages tiltled "SSH Scanner?" on this page:
http://lists.sans.org/pipermail/list/2004-July/thread.html

Like I said, ignore it.  If you don't have those accounts and your
version of openssh is reasonably up to date, you're fine.  You should,
however, attempt to notify the ISPs from which the attacks originate.
You likely won't hear anything back from the overseas attacks, but I
wouldn't be surprised if Shaw pulled the plug on that one IP.

Mike, already gmail'd
-- 
"Spare me your space-age technobabble Atilla The Hun!" --  Zapp Brannigan

GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF  C821 89C4 DF9A 5DDD 95D1
GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc

-- 
TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ  : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc




More information about the TriLUG mailing list