Maybe this is a dumb question, but why not set up a honeynet or an IDS
like snort and block addresses or networks as they begin scanning? Less
administration needed and you don't have to block ranges larger than
necessary...
Also, I threw together a little C app and script which will quickly find
passwords commonly used in brute force attacks. You may be able to use
it with cron to locate users with easily-guessed passwords and reset
them so brute force attacks aren't as successful.
http://freshmeat.net/p/dumbass/
Gerry Dalton wrote:
I have seen similar probes over the last 2 months. Most all have been from
APNIC address blocks. I got so tired of some of it I just went ahead and
blocked a full range of addresses from getting past our border routers.
So far these have just been a nuisance.
Gerry
At 09:21 AM 12/20/2004, Dejan Markovic wrote:
Hi Guys,
Don't know whether this is the right list, but need to ask if others have
the same entries in their logs for the past number of months. Let me take a
step back, I maintain a number of networks on different IP ranges and they
are all being probed by what looks like a tool, or maybe it is the same
group/script. The originating computers range from open proxies to owned
boxes and there are two distinct patterns I've seen so far. The following
scan is a recent example where the root/password from x.x.x.x: 59 Time(s)
caught my attention the first time a while back, and still getting the same
scans on a daily basis:
account/password from 210.245.168.28: 1 Time(s)
adam/password from 210.245.168.28: 1 Time(s)
adm/password from 210.245.168.28: 2 Time(s)
alan/password from 210.245.168.28: 1 Time(s)
apache/password from 210.245.168.28: 1 Time(s)
backup/password from 210.245.168.28: 1 Time(s)
cip51/password from 210.245.168.28: 1 Time(s)
cip52/password from 210.245.168.28: 1 Time(s)
cosmin/password from 210.245.168.28: 1 Time(s)
cyrus/password from 210.245.168.28: 1 Time(s)
data/password from 210.245.168.28: 1 Time(s)
frank/password from 210.245.168.28: 1 Time(s)
george/password from 210.245.168.28: 1 Time(s)
henry/password from 210.245.168.28: 1 Time(s)
horde/password from 210.245.168.28: 1 Time(s)
iceuser/password from 210.245.168.28: 1 Time(s)
irc/password from 210.245.168.28: 2 Time(s)
jane/password from 210.245.168.28: 1 Time(s)
john/password from 210.245.168.28: 1 Time(s)
master/password from 210.245.168.28: 1 Time(s)
matt/password from 210.245.168.28: 1 Time(s)
mysql/password from 210.245.168.28: 1 Time(s)
nobody/password from 210.245.168.28: 1 Time(s)
noc/password from 210.245.168.28: 1 Time(s)
operator/password from 210.245.168.28: 1 Time(s)
oracle/password from 210.245.168.28: 1 Time(s)
pamela/password from 210.245.168.28: 1 Time(s)
patrick/password from 210.245.168.28: 2 Time(s)
rolo/password from 210.245.168.28: 1 Time(s)
root/password from 210.245.168.28: 59 Time(s)
server/password from 210.245.168.28: 1 Time(s)
sybase/password from 210.245.168.28: 1 Time(s)
test/password from 210.245.168.28: 5 Time(s)
user/password from 210.245.168.28: 3 Time(s)
web/password from 210.245.168.28: 2 Time(s)
webmaster/password from 210.245.168.28: 1 Time(s)
www-data/password from 210.245.168.28: 1 Time(s)
www/password from 210.245.168.28: 1 Time(s)
wwwrun/password from 210.245.168.28: 1 Time(s)
Regards,
Dan
