[Info-vax] intrusion detection
joukj
joukj at hrem.nano.tudelft.nl
Fri Mar 13 06:32:03 EDT 2009
Hi All,
Today I get the following at the command SHOW INTRUSION:
Intrusion Type Count Expiration Source
--------- ---- ----- ---------- ------
NETWORK SUSPECT 22 13-MAR-2009 11:39:19.85
IUPOP3::79.121.128.74:eileen
NETWORK SUSPECT 22 13-MAR-2009 11:39:19.86
IUPOP3::79.121.128.74:elaine
NETWORK SUSPECT 22 13-MAR-2009 11:39:19.87
IUPOP3::79.121.128.74:elisabeth
NETWORK SUSPECT 22 13-MAR-2009 11:39:19.88
IUPOP3::79.121.128.74:elizabeth
NETWORK SUSPECT 22 13-MAR-2009 11:39:19.89
IUPOP3::79.121.128.74:ellen
NETWORK SUSPECT 22 13-MAR-2009 11:39:19.90
IUPOP3::79.121.128.74:email
NETWORK SUSPECT 22 13-MAR-2009 11:39:19.90
IUPOP3::79.121.128.74:emails
NETWORK SUSPECT 22 13-MAR-2009 11:39:19.91
IUPOP3::79.121.128.74:emanuel
NETWORK SUSPECT 22 13-MAR-2009 11:47:21.80
IUPOP3::79.121.128.74:emerson
NETWORK SUSPECT 22 13-MAR-2009 11:47:21.81
IUPOP3::79.121.128.74:emily
NETWORK SUSPECT 22 13-MAR-2009 11:47:21.81
IUPOP3::79.121.128.74:emma
NETWORK SUSPECT 22 13-MAR-2009 11:48:02.01
IUPOP3::79.121.128.74:emmanuel
NETWORK INTRUDER 22 13-MAR-2009 11:24:41.45
IUPOP3::79.121.128.74:encrypt
NETWORK INTRUDER 22 13-MAR-2009 11:28:15.26
IUPOP3::79.121.128.74:eric
NETWORK SUSPECT 88 13-MAR-2009 11:39:20.16
IUPOP3::79.121.128.74:gilbert
etc.....
The attack seems to come from one Ip-adress using different usernames to
get access to the pop-server. Should the detection system not block
the whole access from this host and not per user? As it is configured
now they can keep trying to get in (and waist bandwith because the will
not succeed)
Jouk
More information about the Info-vax
mailing list