Re: [exim] Use of P0f

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] Use of P0f
Dave Evans wrote:
> On Thu, May 14, 2009 at 02:35:45PM +0800, W B Hacker wrote:
>> But p0f has turned up something I had not expected - port 25 entirely aside,
>> nearly 80% of the break-in attempts are coming off Linux boxen and mostly to
>> port 22, very few from WinBoxen - on any port.
>>
>> Looks to me as if Linux has indeed won 'market share' - but not where we might
>> have most wished it to have appeared....
>
> Makes sense - box A attacking box B via ssh probably means that box A has
> already been compromised by that same attack vector. i.e. attack vectors
> tell you more about the attacker than the would-be victim.
>
>


I'd actually prefer to think the attacks were the deliberate action of a
malevolent intelligence - sitting at the console, even - than to think that
Linux was that frequently compromised.

A closer inspection of a 9+ hour run shows that it may not be ...

- Several instances of ONE IP, but walking the tree of originating ports

This will take out a whole 'tribe' of those...

ipfw add 00614 deny ip from 221.0.0.0/8 to any

Nice thing about Irish Alzheimer's...

- I don't *remember* knowing anyone in Hebei Province, PRC anyway....

;-)


Bill