Boris Glawe wrote:
So shell I worry about it or do I need to do some countermeasures?
Just ignore it, if your passwords are long enough and are NOT based on
words that can be found in dictionaries. Change the passwords from
time to time AND keep your sshd up to date.
If I have too many root login requests (>200) and I'am able to find
out the attackers provider (with nslookup <ip-address>), I sometimes
write an abuse report to the provider.
Most of these are attacks are script kiddies who are only successfull
in case that your password is emty or matches the username
greets Boris
Hi Boris
Since I need the ssh service, I can't disable it. Actually counting the
number of root pw attacks it was 540 within 28 mins after then he
switched over to pw guessing for random usernames for another 500 times
and 25 mins. Anyway nslookup gives:
nslookup 81.208.32.170
Server: 134.60.1.111
Address: 134.60.1.111#53
Non-authoritative answer:
170.32.208.81.in-addr.arpa name = 81-208-32-170.ip.fastwebnet.it.
Authoritative answers can be found from:
81.in-addr.arpa nameserver = TINNIE.ARIN.NET.
81.in-addr.arpa nameserver = NS3.NIC.FR.
81.in-addr.arpa nameserver = SEC1.APNIC.NET.
81.in-addr.arpa nameserver = SEC3.APNIC.NET.
81.in-addr.arpa nameserver = SUNIC.SUNET.SE.
81.in-addr.arpa nameserver = NS-EXT.ISC.ORG.
81.in-addr.arpa nameserver = NS-PRI.RIPE.NET.
NS3.NIC.FR internet address = 192.134.0.49
NS3.NIC.FR has AAAA address 2001:660:3006:1::1:1
SEC1.APNIC.NET internet address = 202.12.29.59
SEC3.APNIC.NET internet address = 202.12.28.140
SEC3.APNIC.NET has AAAA address 2001:dc0:1:0:4777::140
SUNIC.SUNET.SE internet address = 192.36.125.2
NS-PRI.RIPE.NET internet address = 193.0.0.195
NS-PRI.RIPE.NET has AAAA address 2001:610:240:0:53::3
TINNIE.ARIN.NET internet address = 69.25.34.195
TINNIE.ARIN.NET has AAAA address 2001:440:2000:1::22
I actually don't know what to do with this output.
and btw just using the ip in a webbrowser it comes up with a page from
IBM ?!? ... wired...
greets,
fengler
