-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2005-10-28 at 19:53 -0400, Allen wrote:
SSHd is blocked by default on SUSE.... Why are you running it?
The daemon is enabled by default, I think. It might be closed in the firewall, though.
My guess.... You shut off the firewall or told it to allow SSH?..... The firewall is on by default now, and you can updatebefore the machine is even fully booted...
You really should give more info than this. It sounds like you turned off the firewall, or told it to allow SSH, and for somereason someon found your IP, which is weird, do you run a server?
Not weird at all. I get attempts as soon as I connect trhough my V90 modem (dial up dynamic address). There are people out there running port scans continuosly, using scripts. Most try ports 445, 135, 139... or wieird ones like 1028, 1026, 1030, 12316. But they also try 21, of course: Oct 22 04:05:46 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=ppp0 OUT= MAC= SRC=64.34.92.187 DST=81.41.201.250 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=27217 DF PROTO=TCP SPT=47499 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A7E3F764C0000000001030302) They try the guest account because some installs have it, and several other "typical" names. There was a problem in sshd by which the attacker could determine if the name was valid by measuring the response time of the server, which was diferent if the user existed or not. Once they find a user name, they launch a dictionary attack on it. That hole was plugged. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDYtCYtTMYHG2NR9URAi9CAJ9kcb6B4DZTG7dmCDWH4CPZo1Y+qgCggq2W ONTDuVgXUjF5eWE1hKXLDPs= =vMVT -----END PGP SIGNATURE-----