I found this today on freshmeat, and I thought that this might help in stoping attacks without
user input.
BLD 0.3.3 by Olivier Beyssac - Mon, Jul 25th 2005 03:13 PDT
About: BLD stands for "blacklist daemon" and is intended to serve a blacklist. The blacklist is
built by simply inserting IP addresses or by using submission rate limits based on a maximum
number of submissions of the same IP address within a minimum time interval. A BLD cluster can be
built by configuring the daemon to notify other similar daemon(s) every time an IP address is
added to the blacklist. BLD was primarily designed to fight against dictionary-based spam (by
making the MTA report to BLD any host that tries to send email to an unknown user), but can be
used by any program
I don't know if works for a business or a home use. I may give this atry myself.
William
--- Mike Branda <mike@wackyworld.tv> wrote:
> On Fri, 2005-07-15 at 12:00 -0400, Josh Bowers wrote:
> > Steven Buehler wrote:
> > >
> > > On Jul 15, 2005, at 11:26 AM, John Pugh wrote:
> > >
> > >> FYI...most of these "attacks" come from already hacked
> > >> computers so retaliation might be directed towards the wrong people.
> > >
> > >
> > > The is also the possibility that the attacking computer has a forged IP
> > > or is doing so through a proxy.
>
> This started happening to me at the office about a year ago. My
> research back then never showed the same originating IP twice so I gave
> up on trying to track it. A combo of things fixed it and the logs have
> been quiet since. I denied root access, rolled the ssh port to a
> different unused high port (hopefully out of the common scanning
> range...who's gonna scan everything from 1025-65535?), and since I
> needed the ssh capabilities, I clamped down hosts.allow/deny to only 1
> originating source IP....mine at home.
>
> >
> > I had these a couple of weeks ago and looked into it. It is probably
> > someone's rooted box running an SSH brute force cracker.
> >
>
> This is the conclusion I came to back then too. Here's a site that has
> the code from one such brute force script. Maybe it'll help the counter
> combat attempts.
>
> http://www.frsirt.com/exploits/08202004.brutessh2.c.php
>
> Originally an article I read said that the usernames that were being
> used at the time were default Solaris (I think) usernames of nobody,
> test and guest. I thought only M$ was looney enough to include such
> generic usernames.
>
> HTH.
>
> Mike Branda Jr.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 18:22:28 EDT