[Intrusions] brute force attack - tcp wrappers and iptables nothelping?
Smith, Donald
Donald.Smith at qwest.com
Fri Apr 22 14:30:43 GMT 2005
Can you do a couple of reverse lookups to see what is getting returned
on the attack ips.
We have seen one dns server that was returning something that MIGHT get
past your filters based on the name being returned.
donald.smith at qwest.com giac
> -----Original Message-----
> From: intrusions-bounces at lists.sans.org
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Susanne Hemker
> Sent: Thursday, April 21, 2005 8:24 AM
> To: intrusions at lists.sans.org
> Subject: [Intrusions] brute force attack - tcp wrappers and
> iptables nothelping?
>
>
> Hi everybody,
>
> somebody is trying to break into one of out workstations.
> The /var/log/secure contains lots of:
>
> Failed password for invalid user $name from ::ffff:$IP
> port $port ssh2
>
> from different IPs, ports and usernames.
>
> Since the tcp wrappers and the iptables should not allow ssh
> login from
>
> any host outside our lab, I am wondering how he/she even got to the
> login. Any suggestions?
>
> Thanks,
>
> Susanne
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
More information about the Intrusions
mailing list