Rick Stevens wrote:
Personally, I still prefer iptables. Block them at the NIC level (or as
close as you can). Why let them in any further than you absolutely have
to?
Unfortunately I can't. My company's server hardening policy says
IPTables should be off! I have to apply for a "Security Override" if I
have to enable it. Go figure.
I'm trying to get that changed.
My original concern, more of a curiosity really, was about the username
NOUSER. I've be getting attempts for root ever since this server went
live. But never for "NOUSER".
If you're still getting SSH crack attempts even though there's a
firewall out there, then you're either getting hit from someone you
"trust" or it's coming from inside your network. I'd start an audit PDQ
(pretty damned quick) and find the culprit. Undoubtedly some twit
with a Windows box is infected, either by getting hacked or by opening
an email with a worm attached.
I did check where the attempts were coming from. The source IP addresses
were assigned to ISPs. So infected windows systems are most likely to be
the culprits.
--
Regards,
विवेक ज. पाटणकर (Vivek J. Patankar)
Registered Linux User #374218
Fedora release 7 (Moonshine)
Linux 2.6.22.1-33.fc7 x86_64
