[Info-vax] intrusion detection

Richard B. Gilbert rgilbert88 at comcast.net
Fri Mar 13 12:27:25 EDT 2009 

joukj wrote:
> Hi All,
> 
> Today I get the following at the command SHOW INTRUSION:
> 
> Intrusion       Type       Count        Expiration         Source
> ---------       ----       -----        ----------         ------
>    NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.85 
> IUPOP3::79.121.128.74:eileen
>    NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.86 
> IUPOP3::79.121.128.74:elaine
>    NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.87 
> IUPOP3::79.121.128.74:elisabeth
>    NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.88 
> IUPOP3::79.121.128.74:elizabeth
>    NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.89 
> IUPOP3::79.121.128.74:ellen
>    NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.90 
> IUPOP3::79.121.128.74:email
>    NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.90 
> IUPOP3::79.121.128.74:emails
>    NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.91 
> IUPOP3::79.121.128.74:emanuel
>    NETWORK      SUSPECT      22   13-MAR-2009 11:47:21.80 
> IUPOP3::79.121.128.74:emerson
>    NETWORK      SUSPECT      22   13-MAR-2009 11:47:21.81 
> IUPOP3::79.121.128.74:emily
>    NETWORK      SUSPECT      22   13-MAR-2009 11:47:21.81 
> IUPOP3::79.121.128.74:emma
>    NETWORK      SUSPECT      22   13-MAR-2009 11:48:02.01 
> IUPOP3::79.121.128.74:emmanuel
>    NETWORK      INTRUDER     22   13-MAR-2009 11:24:41.45 
> IUPOP3::79.121.128.74:encrypt
>    NETWORK      INTRUDER     22   13-MAR-2009 11:28:15.26 
> IUPOP3::79.121.128.74:eric
>    NETWORK      SUSPECT      88   13-MAR-2009 11:39:20.16 
> IUPOP3::79.121.128.74:gilbert
> etc.....
> 
> The attack seems to come from one Ip-adress using different usernames to 
>  get access to the pop-server. Should the detection system not block the 
> whole access from this host and not per user? As it is configured now 
> they can keep trying to get in (and waist bandwith because the will not 
> succeed)
> 
>                  Jouk

I don't think it should block all access from a particular host.  YOU 
may have the necessary judgment and authority to do so but it seems to 
me to be a little too much to expect from the O/S.

If the machine using 79.121.128.74 belongs to your organization, you 
would be fully justified in complaining to the owner and/or 
administrator of that machine.  If the address does not belong to your 
organization, simply block it at the firewall!

More information about the Info-vax mailing list