Article 7735 at 06/10/27 06:20:51 From: steve (at mark) zio.com Subject: [coba-e:07735] Re: Brute? Am I being attacked?

Index: [Article Count Order] [Thread]
Date:  Thu, 26 Oct 2006 16:18:34 -0500
From:  "Steve Davis" <steve (at mark) zio.com>
Subject:  [coba-e:07735] Re: Brute? Am I being attacked?
To:  coba-e (at mark) bluequartz.org
Cc:  coba-e (at mark) bluequartz.org
Message-Id:  <fc.000f814700259b533b9aca0079ee0022.259b63 (at mark) fc.zio.com>
In-Reply-To:  <078f01c6f92f$6c352840$6700a8c0@OfficeKen>
References:  <453FBA47.9030809 (at mark) digitalcollision.com> <fc.000f814700259a873b9aca0079ee0022.259a8a (at mark) fc.zio.com> <078f01c6f92f$6c352840$6700a8c0 (at mark) OfficeKen>
X-Mail-Count: 07735

coba-e (at mark) bluequartz.org on Thursday, October 26, 2006 at 1:49 PM +0000 wrote:
>
>>
>> I found 231 process running on a all yummed up BQ this afternoon with half 
>> of them a
>> Brute process.
>>
>> Any ideas. I have killed all and rebooted, not sure the box will come back 
>> or if the
>> process will come back.
>>
>> Steve
>
>Install the APF firewall with ingress filtering only.
>Install the BFD with it to auto-block the Brute force by SSH, ProFTPD, etc 
>IP addresses.
>
>And since the /etc/cron.hourly/log_traffic does not like the firewall:
>mv /etc/cron.hourly/log_traffic   /etc/


Great, thanks.

I did remove the offending files that seemed to have made it into the samba spool area.
And I did some more administrative tweaking so it could not be executed again.

Is there an APF i can fetch from the yum repository, or should i just google a version?

Steve