|
Title: Are we being attacked? Post by: richardfisher on Tuesday 29 May 2012, 06:33:27 am We have been using 2.5.1 for a while now in 7 locations. One of our locations has just started emailing me warnings about root login failures through ssh from ip ;::ffff:1 nnn.nnn.nnn.nnn
There have been 4 of these "attacks in the last three days from 4 different ip addresses (2 in the States, 1 in England and 1 in Singapore). The location being "attacked" is where our Exchange Server is located but this doesn't look like spammers etc. more like attempted hacking. However the email could have led the attackers to the external ip of the firewall? I am looking for advice, things to check etc. Fortunately I think we have a good password policy in effect which is helping protect us. Also - the number of attempts has dropped each time - first was about 384 over a 10 minute period but the most recent was only 20 attempts in 10 minutes. Hope this is a good sign and not a bad omen! Thanks all. Look forward to reading your posts! Title: Re: Are we being attacked? Post by: martman22 on Wednesday 30 May 2012, 01:00:11 am You may want to look at using Ossec on your remote sites. It will monitor such attacks and even block these attacks for whatever duration you set. It will also email you when attacks occur. I uploaded an agent in the customization section of this forum which will work on Endian 2.5.1 but you will need to install the management portion on a separate server which you can download from their main site. Just do a search on it.
You can also compile it yourself if you install the development software on a spare endian box if you don't want to use the agent version of the software. |