Author: W B Hacker Date: To: exim users Subject: Re: [exim] Use of P0f
Dave Evans wrote: > On Thu, May 14, 2009 at 02:35:45PM +0800, W B Hacker wrote:
>> But p0f has turned up something I had not expected - port 25 entirely aside,
>> nearly 80% of the break-in attempts are coming off Linux boxen and mostly to
>> port 22, very few from WinBoxen - on any port.
>>
>> Looks to me as if Linux has indeed won 'market share' - but not where we might
>> have most wished it to have appeared....
>
> Makes sense - box A attacking box B via ssh probably means that box A has
> already been compromised by that same attack vector. i.e. attack vectors
> tell you more about the attacker than the would-be victim.
>
>
I'd actually prefer to think the attacks were the deliberate action of a
malevolent intelligence - sitting at the console, even - than to think that
Linux was that frequently compromised.
A closer inspection of a 9+ hour run shows that it may not be ...
- Several instances of ONE IP, but walking the tree of originating ports
This will take out a whole 'tribe' of those...
ipfw add 00614 deny ip from 221.0.0.0/8 to any
Nice thing about Irish Alzheimer's...
- I don't *remember* knowing anyone in Hebei Province, PRC anyway....