--- Andy Green <andy@xxxxxxxxxxx> wrote: > > > Most probably some virus or other which has > claimed another brain-dead > > victim (known as Windows users). The IP is most > likely false. If you're > > that concerned, switch off ssh. > > Since it's a TCP connection to ssh, the IPs will be > real. > > These are automated attacks coming from all around > as Mike said, there > is no "person". They won't be stopping any time > soon and will probably > only increase in sophistication. > > Best plan is to get your friend to move his ssh port > off 22. That will > really make it difficult to attack him, since they > no longer have the > free information that 22 is the port and ssh is the > protocol. > > > Edit /etc/ssh/sshd_config and change > > Port 22 > > to some other number, then > > service sshd restart > > update any holes in firewalls accordingly: you can > do it by hand with > (eg, for port 5678) > > iptables -I INPUT -p tcp --dport 5678 -j ACCEPT > service iptables save > > -Andy > After you switch ssh to an alt port, you could setup a honeypot on port 22 using a Virtual machine (VMWare or Xen...) Oh, and keep the honeypot off you network so noone can get anywhere from it. If it's a worm, them you probably won't get anywhere with the honeypot. If it's a simple minded hacker (probably not) then you could get enough info to trace them down. If its someone running scripted attacks, they'll eventually read their logs and see your honeypot as a potential victim. I had a similar problem with ftp, and one day I accidently turned off some security(too easy to do in windows) and got tagged. I didn't actually setup the honeypot, but the thought did cross my mind. -j __________________________________ Yahoo! Mail Stay connected, organized, and protected. Take the tour: http://tour.mail.yahoo.com/mailtour.html