Re: rsync attempts?
On Sat, Dec 06, 2003 at 12:25:09AM +0100, Igor Mozetic wrote:
>I see repeated attempts to connect to my public rsync Debian server:
>Dec 6 00:20:01 rsync connection attempt from 184.108.40.206 (220.127.116.11:29558->x.x.x.x:873)
>rsync and kernel are patched, but I wonder if there is anything
>one can do to identify/catch/??? a potential intruder.
some ISPs will respond to complaints, if their customers ar staging
attacks, most don't, you will want to script some kind of reporting
tool, use whois to find the owner of the subnet... in this case they may
do something about it: "Belarusian State University"
There is aris too:
Maintainer: Matt Zimmerman <email@example.com>
Depends: debconf, libc6 (>= 2.2.4-4), libcurl2-ssl (>= 7.9.5-1), libssl0.9.6, libstdc++2.10-glibc2.2
Description: Scan system logs for security incidents and report them to ARIS
The Attack Registry and Intelligence Service (ARIS) is a free,
user-integrated attack-trending system hosted by SecurityFocus that
allows administrators and operators of Intrusion Detection Systems
(IDSs) to track, evaluate and respond to security alerts and attacks
in a proactive manner.
As an integral piece of the ARIS Analzyer service, SecurityFocus's
open-source ARIS Extractor utility distills data provided by IDS
attack-list logs to build client portfolios that provide meaningful,
graphical analysis of potentially malicious network incidents. By
filtering out insignificant or benign data and converting it to a
common format (xml), ARIS Extractor streamlines incident reporting
for both security professionals and home users in a way that allows
IDS operators to focus only on relevant attacks and
incidents. Additionally, ARIS Extractor ensures client
confidentiality through secure file-transfer protocols and optional
IP address suppression.
GEORGE GEORGALIS, System Admin/Architect cell: 646-331-2027 <IXOYE><
Security Services, Web, Mail, mailto:firstname.lastname@example.org
Multimedia, DB, DNS and Metrics. http://www.galis.org/george