Re: ssh: Repeated intrusion attempts
On Mon, 2 May 2005, Robert S wrote:
> There seem to be bursts of this sort of activity every day or two, from
> different addresses.
good .. consider it a free server audit by script kiddies
> What concerns me is that the attackers seem to be able to retrieve the names
> of users on my system. How do they do that, and how can I prevent it?
lucky guess ... or plain ole (trivial) network sniffing
- sniff any/all of the emails and follow that email into the server
and try to guess their passwords
- never use the same email addy ( john ) as your any of your loginID
( john ) .. one of it should be "jsmith" or some other non-guessible
loginid ... and aliase email@example.com in your /etc/alias files back to
j1z3k5 so that j1z3k5 can read/delete/reply their emails addressed to
> I am running Woody, with up-to-date patches, behind a cheap hardware
> firewall-router. Open ports are 22 (sshd), 25 (sendmail), 80 (apache), 443
> (apache-ssl), 993 (courier-imap over ssl) and 995 (courier-pop over ssl).
pretty good :-) .. except do not depend on the firewall .. assume its
cracked and protect everything else ...
( full and incremental and encrypted backups .. dating back months.. )