[plug] Attempted Intrusions

[James Devenish]

In message <1isg42xlu.ln2 at shameless.plug.org.au>
on Wed, Oct 20, 2004 at 09:44:55AM +0800, Marc Wiriadisastra wrote:
> All it is is that I haven't limited the ip's to who can access ssh 
> because some times I'm away on business and the only access I have is a 
> dialup.  How do I get around that or is there not a way around it?

We are all subject to volumes of attacks every day as part of the
background noise of the Internet, and what you described could be the
work of any number of automated infectious attacks that exist for SSH.
There was one recent attack which basically exploited weak passwords in
the first instance. View it as with a web server: chances are, it is
going to be vulnerable to an exploit or denial of service attack one
day, possibly through a programming error or a misconfiguration on your
behalf. However, you can't block people arbitrarily from using your web
server because that would defeat its business purpose. You *could* run
a continuous monitoring tool that would attempt to detect known attacks
and then blacklist the offending addresses but this, like spam
blacklists, is an inexact art and needs to be moulded to your server's
purpose and requirements. You should first ensure you are keeping public
servers patched and sensibly configured, and that you have some plan for
receiving and responding to external security advice and internal
security breaches.