Crack attempt
Brian Densmore
DensmoreB at ctbsonline.com
Fri Oct 29 12:31:45 CDT 2004
> -----Original Message-----
> From: Dustin Decker
>
> Immediately after I replied to your earlier post, I thought
> to myself, "I
> really aught to ask Brian what the traffic looked like." If
> it's UDP, I'd
> almost wholesale expect it is spoofed. Same applies to ICMP,
> but if you're
> looking at genuine TCP traffic, with an established
> three-way-handshake,
> it's a different story. (If you're working solely on the
> basis of what you
> find in syslog and the like, you might not be able to answer
> the question
> either. [Insert soapbox about logging all packets that
> traverse the border
> here.])
>
Should definitely be TCP traffic. Attempts to log in via ssh from
various ports. I don't think there's a port over 1024 on my
system he/she left untouched. There may have been other ports/
services that were attempted, but they would have been dropped as
part of the firewall rules. Not sure if I'm logging all the
various ports/services such as ftp,etc. Don't want to open my
server up to too easy of a DOS attack, so I basically ignore
the impossible services.
More information about the Kclug
mailing list