[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh: Repeated intrusion attempts

On Mon, 2 May 2005, Robert S wrote:

> There seem to be bursts of this sort of activity every day or two, from 
> different addresses.

good .. consider it a free server audit by script kiddies

> What concerns me is that the attackers seem to be able to retrieve the names 
> of users on my system.  How do they do that, and how can I prevent it?

lucky guess ... or plain ole (trivial) network sniffing

- sniff any/all of the emails and follow that email into the server
  and try to guess their passwords
- never use the same email addy ( john )  as your any of your loginID 
 ( john ) ..  one of it should be "jsmith"  or some other non-guessible
 loginid  ... and aliase john@foo.com in your /etc/alias files back to
 j1z3k5 so that j1z3k5 can read/delete/reply their emails addressed to

> I am running Woody, with up-to-date patches, behind a cheap hardware 
> firewall-router.  Open ports are 22 (sshd), 25 (sendmail), 80 (apache), 443 
> (apache-ssl), 993 (courier-imap over ssl) and 995 (courier-pop over ssl). 

pretty good :-) .. except do not depend on the firewall .. assume its
cracked and protect everything else ...
( full and incremental and encrypted backups .. dating back months.. )

c ya

Reply to: