[Info-vax] intrusion detection

joukj joukj at hrem.nano.tudelft.nl
Fri Mar 13 09:05:38 EDT 2009 

Bill Gunshannon wrote:
> In article <49ba3625$0$6682$703f8584 at textnews.kpn.nl>,
> 	joukj <joukj at hrem.nano.tudelft.nl> writes:
>> Hi All,
>>
>> Today I get the following at the command SHOW INTRUSION:
>>
>> Intrusion       Type       Count        Expiration         Source
>> ---------       ----       -----        ----------         ------
>>     NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.85 
>> IUPOP3::79.121.128.74:eileen
>>     NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.86 
>> IUPOP3::79.121.128.74:elaine
>>     NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.87 
>> IUPOP3::79.121.128.74:elisabeth
>>     NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.88 
>> IUPOP3::79.121.128.74:elizabeth
>>     NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.89 
>> IUPOP3::79.121.128.74:ellen
>>     NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.90 
>> IUPOP3::79.121.128.74:email
>>     NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.90 
>> IUPOP3::79.121.128.74:emails
>>     NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.91 
>> IUPOP3::79.121.128.74:emanuel
>>     NETWORK      SUSPECT      22   13-MAR-2009 11:47:21.80 
>> IUPOP3::79.121.128.74:emerson
>>     NETWORK      SUSPECT      22   13-MAR-2009 11:47:21.81 
>> IUPOP3::79.121.128.74:emily
>>     NETWORK      SUSPECT      22   13-MAR-2009 11:47:21.81 
>> IUPOP3::79.121.128.74:emma
>>     NETWORK      SUSPECT      22   13-MAR-2009 11:48:02.01 
>> IUPOP3::79.121.128.74:emmanuel
>>     NETWORK      INTRUDER     22   13-MAR-2009 11:24:41.45 
>> IUPOP3::79.121.128.74:encrypt
>>     NETWORK      INTRUDER     22   13-MAR-2009 11:28:15.26 
>> IUPOP3::79.121.128.74:eric
>>     NETWORK      SUSPECT      88   13-MAR-2009 11:39:20.16 
>> IUPOP3::79.121.128.74:gilbert
>> etc.....
>>
>> The attack seems to come from one Ip-adress using different usernames to 
>>   get access to the pop-server. Should the detection system not block 
>> the whole access from this host and not per user? As it is configured 
>> now they can keep trying to get in (and waist bandwith because the will 
>> not succeed)
>>
> 
> One entry in your firewall stops that.  You do have a firewall, right?
> 
> bill
> 
I know. Also the abuse was already reported to "computer-authorities" in 
my university in order to "stop" the abuse.
My question was more "principle" for the next time, since at present I 
can block the "offending" Ip-address. But if the attack comes from a 
complete different network in future it will not be blocked (the pop3 
service i.e. should be open for our legal clients from outside the 
university). I was just wondering why all these offences were logged as 
"single" offences and not "bundled" as one so that a retry with another 
user-name does not help. I noticed that the SSHD form HP/TCPIP does 
probably this.

                    Jouk

More information about the Info-vax mailing list