Adam Hardy wrote:
One routine check that I do on my webserver to check it's OK is netstat, and this time it looks like I was under attack from some muppet out there via what seems to be a brute force attempt to crack my ssh login.
(We're all seeing this all the time.)
Trying to understand the info, what is the foreign address - is that the attacker's domain name: 59-124-248-196.HI ? If so, how come it's this weird format? And what's 59-124-248-19:dircproxy? And how come so many listed connections have no PID? Are they just abandoned login attempts?
(Those are truncated displays for reverse lookups of ip's. And I'm too lazy to check about this pid thing. Just use decent passwords (or ssh key logins only) for your accounts (and possibly configure sshd to prohibit logins to any users than those which should have access), then you're safe.)
I ran nmap from my home pc to see whether there were any unrecognised ports open that might have been opened up if the cracker had got it, and i see a couple of ports that show as filtered:1720/tcp filtered H.323/Q.931
"filtered" just means that you don't get replies from those ports (it's typically a firewall that DROP's packages instead of REJECT'ing them). If it's tcp, this means you cannot create a connection to this port. You have to find out where this package filter resides (also check "iptables-save" from within that machine).
Christian.