On Mon, 2005-08-15 at 11:11, Rick Lim wrote: > Hi there, > > I know this is not the correct forum to ask this question, but I have to > start somewhere....... > > I have a friend with a linux firewall box. > There appears to be a very simple minded hacker trying to do simple ssh > password attacks on this box. > > I have been using whois and reporting this to each ISP he/she is coming from > but he/she just breaks into a different machine on an new ISP and tries > again. > > Is there something more I can do to track this person down? > Thanks. > This is most likely the standard script kiddie attack that virtually everyone has seen if they have ssh open to the Internet. Best course of action if you need ssh access is to make sure you have disabled root login via ssh and restrict ssh access to a few specific users. Make sure those users have good passwords, no names or dictionary words, 10 or more characters, uses numbers and special characters. One alternative is to move the ssh port to a different port number. This is not really a security change as any actual hacker will port scan your IP and find it. But it will keep the script kiddies from filling your log files up.