On Sat, Oct 29, 2005 at 03:29:52AM +0200, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Friday 2005-10-28 at 19:53 -0400, Allen wrote:
SSHd is blocked by default on SUSE.... Why are you running it?
The daemon is enabled by default, I think. It might be closed in the firewall, though.
My guess.... You shut off the firewall or told it to allow SSH?..... The firewall is on by default now, and you can updatebefore the machine is even fully booted...
You really should give more info than this. It sounds like you turned off the firewall, or told it to allow SSH, and for somereason someon found your IP, which is weird, do you run a server?
Not weird at all. I get attempts as soon as I connect trhough my V90 modem (dial up dynamic address). There are people out there running port scans continuosly, using scripts. Most try ports 445, 135, 139... or wieird ones like 1028, 1026, 1030, 12316. But they also try 21, of course:
Oct 22 04:05:46 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=ppp0 OUT= MAC= SRC=64.34.92.187 DST=81.41.201.250 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=27217 DF PROTO=TCP SPT=47499 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A7E3F764C0000000001030302)
My boxes are up 24/7 as is my connection (6.2 MBs a second) and I've had maybe ONE attack attempt on a server I was using. And that was someone trying to log into the FTP server here as root a long time ago.... Well like not that long ago. I have them up all the time though and I've never had that. I even pop them in my DMZ and no one attacks it, and believe me, I'm quite a target being someone who challenges people openly when I don't think they are doing the right thing, being a soon to be govt employee, and of cours being a senior member of AntiOnline. Lol yea I'm a huge one.
They try the guest account because some installs have it, and several other "typical" names. There was a problem in sshd by which the attacker could determine if the name was valid by measuring the response time of the server, which was diferent if the user existed or not. Once they find a user name, they launch a dictionary attack on it.
That hole was plugged.
Cheers, Carlos Robinson
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76
iD8DBQFDYtCYtTMYHG2NR9URAi9CAJ9kcb6B4DZTG7dmCDWH4CPZo1Y+qgCggq2W ONTDuVgXUjF5eWE1hKXLDPs= =vMVT -----END PGP SIGNATURE-----
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com