[Info-vax] intrusion detection

Bill Gunshannon billg999 at cs.uofs.edu
Fri Mar 13 07:28:16 EDT 2009 

In article <49ba3625$0$6682$703f8584 at textnews.kpn.nl>,
	joukj <joukj at hrem.nano.tudelft.nl> writes:
> Hi All,
> 
> Today I get the following at the command SHOW INTRUSION:
> 
> Intrusion       Type       Count        Expiration         Source
> ---------       ----       -----        ----------         ------
>     NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.85 
> IUPOP3::79.121.128.74:eileen
>     NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.86 
> IUPOP3::79.121.128.74:elaine
>     NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.87 
> IUPOP3::79.121.128.74:elisabeth
>     NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.88 
> IUPOP3::79.121.128.74:elizabeth
>     NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.89 
> IUPOP3::79.121.128.74:ellen
>     NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.90 
> IUPOP3::79.121.128.74:email
>     NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.90 
> IUPOP3::79.121.128.74:emails
>     NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.91 
> IUPOP3::79.121.128.74:emanuel
>     NETWORK      SUSPECT      22   13-MAR-2009 11:47:21.80 
> IUPOP3::79.121.128.74:emerson
>     NETWORK      SUSPECT      22   13-MAR-2009 11:47:21.81 
> IUPOP3::79.121.128.74:emily
>     NETWORK      SUSPECT      22   13-MAR-2009 11:47:21.81 
> IUPOP3::79.121.128.74:emma
>     NETWORK      SUSPECT      22   13-MAR-2009 11:48:02.01 
> IUPOP3::79.121.128.74:emmanuel
>     NETWORK      INTRUDER     22   13-MAR-2009 11:24:41.45 
> IUPOP3::79.121.128.74:encrypt
>     NETWORK      INTRUDER     22   13-MAR-2009 11:28:15.26 
> IUPOP3::79.121.128.74:eric
>     NETWORK      SUSPECT      88   13-MAR-2009 11:39:20.16 
> IUPOP3::79.121.128.74:gilbert
> etc.....
> 
> The attack seems to come from one Ip-adress using different usernames to 
>   get access to the pop-server. Should the detection system not block 
> the whole access from this host and not per user? As it is configured 
> now they can keep trying to get in (and waist bandwith because the will 
> not succeed)
> 

One entry in your firewall stops that.  You do have a firewall, right?

bill

-- 
Bill Gunshannon          |  de-moc-ra-cy (di mok' ra see) n.  Three wolves
billg999 at cs.scranton.edu |  and a sheep voting on what's for dinner.
University of Scranton   |
Scranton, Pennsylvania   |         #include <std.disclaimer.h>

More information about the Info-vax mailing list