How are people handling network attacks?

steve at horne.homelinux.net steve at horne.homelinux.net
Sat Feb 26 13:29:53 EST 2005 

Hello blu --

I have a cable modem connected to a "firewall"  -- slackware based,
2.4.22, iptables.  Recently I've seen an increase in the number of dictionary-based
attacks. Log fills up with stuff like this:
Feb 25 20:01:56 horne sshd[2407]: Failed password for root from 61.177.137.170 port 58956 ssh2
Feb 25 20:02:05 horne sshd[2409]: Failed password for root from 61.177.137.170 port 59007 ssh2
Feb 25 20:02:11 horne sshd[2411]: Failed password for root from 61.177.137.170 port 59055 ssh2
Feb 25 20:02:17 horne sshd[2413]: Failed password for root from 61.177.137.170 port 59083 ssh2
Feb 25 20:02:27 horne sshd[2415]: Failed password for root from 61.177.137.170 port 59115 ssh2
Feb 25 20:02:35 horne sshd[2417]: Failed password for root from 61.177.137.170 port 59173 ssh2
Feb 25 20:02:41 horne sshd[2419]: Failed password for root from 61.177.137.170 port 59206 ssh2
Feb 25 20:02:57 horne sshd[2421]: Failed password for root from 61.177.137.170 port 59246 ssh2

Looks like a systematic attack...  8 attempts, various ports...
Several per night, from various places.

I've tried email  to their providers -- when I can figure out who they are...
just get automated responses -- basically blown off.

I've taken to harvesting the log for the IP addresses and adding them to my firewall rules, just
to annoy them, really -- (Hah)

For what it's worth, here's the last 20 or so miscreants that have shown up - 
this is cut from iptables -L

Do I have any other options?  Can Comcast block them upstream?
Do ISPs, in general, care about this sort of thing?

                    Thanks,
                            Steve


=======
Chain EXTERNAL_INPUT (2 references)
target     prot opt source               destination         
DROP       all  --  61-30-88-6.static.tfn.net.tw  anywhere           
DROP       all  --  202.175.237.42       anywhere           
DROP       all  --  202.111.173.4        anywhere           
DROP       all  --  aribonifabbri.com.br  anywhere           
DROP       all  --  eduD103.edu.u-ryukyu.ac.jp  anywhere           
DROP       all  --  90.138.76.211.symphox.com  anywhere           
DROP       all  --  www.3d-pages.com     anywhere           
DROP       all  --  203.117.109.244      anywhere           
DROP       all  --  218.106.161.106      anywhere           
DROP       all  --  bekkpc.mad.hu        anywhere           
DROP       all  --  202.145.138.26       anywhere           
DROP       all  --  218.104.232.74       anywhere           
DROP       all  --  cybergsi.chungang.edu  anywhere           
DROP       all  --  user-0c8hk8t.cable.mindspring.com  anywhere           
DROP       all  --  218.201.9.19         anywhere           
DROP       all  --  LapCarloni.pv.infn.it  anywhere           
DROP       all  --  gedomax.mediasat.ro  anywhere           
DROP       all  --  165.194.84.133       anywhere           
DROP       all  --  61.177.137.170       anywhere           
DROP       all  --  waltz3.rutgers.edu   anywhere           
DROP       all  --  202.110.184.100      anywhere           
CHECK_FLAGS  tcp  --  anywhere             anywhere           
DENY_PORTS !icmp --  anywhere             anywhere

More information about the Discuss mailing list