[no subject]

Chris,
I see many of these attempts on systems I monitor. Most are from automated
scanners looking for easy prey so sending email to abuse at whatever will
typically lead to nothing. Don't waste your time unless you know it's a
targeted attack.

I'd use host.allow and always ssh from a small list of machines, use port
knocker or some other method that does not give the login prompt to just
anyone..

This is a case where obscuring your port may be helpful. It'll reduce the
amount of noise in your log files and most automated scanning tools will
simply skip to then next ip if port 22 is not open.

I've been toying with the idea of putting a ssh tarpit on one of my boxes in
my honeynet and publishing the list of offending ips.

Tony




</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00170" href="msg00170.html">[ale] Hack of the month...</a></strong>
<ul><li><em>From:</em> cfowler at outpostsentinel.com (Christopher Fowler)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00189.html">[ale] Hack of the month...</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00192.html">[ale] Thanks for libcurl and a question about it.</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00178.html">[ale] Hack of the month...</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00176.html">[ale] OpenSSH 4.2p1 On Fedora Core2</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00190"><strong>Date</strong></a></li>
<li><a href="threads.html#00190"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>