View Single Post
Old 5th November 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 6,254

  1. You are not alone. Many people panic when computer operations do not go as expected, and assume the worst.
  2. Any publicly addressable IP address, anywhere on the planet, gets probed constantly by bad guys.
    1. Most use simplistic automation that scan for open TCP or UDP ports, and record them for later attack by specific software designed for attacking a specific service that uses that port number.
    2. Most commonly, they go after poorly maintained Windows boxes.
    3. Any service with a known hole ever it its life will be probed, to see if that service is poorly maintained.
    4. Examples of common attacks:
      1. ftp servers will be constantly probed to see if there is a userid "Administrator" because if a Windows box is running an ftp service, brute force attacks can be used against poor password selection -- such as "Administrator". Simple dictionary attacks against accounts like that are common.
      2. sshd servers will be probed for common userids: "root" and "test" and others, with similar dictionary attacks. If you run sshd(8) with password authentication disabled entirely, you will still see these constant attempts in your logs, even though no password will ever be accepted.
I use PF's state management tools for my public services just to reduce the size of my logs -- not because they'll ever get in.
Reply With Quote