On 26 Nov 2013, at 22:56, "Brian Schenkenberger, VAXman-" <system at TMESIS.COM> wrote:
Dennis Boone <drb at msu.edu> writes:
Am I the only one who's almost constantly being hit by login scans
(usually from China or weird places like Kazakhstan - sorry Oleg) on
their Internet facing Telnet/SSH ports?
It's not like they get in or anything, my guess is that this is just
part of a larger scan so if you guys are getting hit as well, I won't
worry that I'm being targeted :)
Pretty much if it's connected to the internet, it's getting
dictionary-scanned on any open telnet and ssh ports. The scanners have
gotten a little smarter in the last 8 years or so -- they no longer
generate so many parallel connections that you notice them because of
load or socket starvation.
I put in firewall rules to block addresses which generate too many ssh
connections in a period of time, mostly to prevent the log spam.
Stupid! Disable TELNET for anything but your local net. You do NOT want
plain text sent over the internet!
As for SSH, moving it off of port 22 seems to quiet things down. Use one
of the port numbers in the ephemeral range like 22222. Of course, you'll
need to tell your ssh client that you're using a different port using the
-p option.
--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG
Well I speak to machines with the voice of humanity.
I agree with both points for production "real" boxes, SSH in pubkey mode on random port, no telnet.
But for public access hobby systems that significantly increases the barrier to entry for new users. I run SSH but in pubkey mode only, Telnet is used by the vast majority of my users, these are hobby system, I haven't had any complaints.
Dennis Boone <drb at msu.edu> writes:
Am I the only one who's almost constantly being hit by login scans
(usually from China or weird places like Kazakhstan - sorry Oleg) on
their Internet facing Telnet/SSH ports?
It's not like they get in or anything, my guess is that this is just
part of a larger scan so if you guys are getting hit as well, I won't
worry that I'm being targeted :)
Pretty much if it's connected to the internet, it's getting
dictionary-scanned on any open telnet and ssh ports. The scanners have
gotten a little smarter in the last 8 years or so -- they no longer
generate so many parallel connections that you notice them because of
load or socket starvation.
I put in firewall rules to block addresses which generate too many ssh
connections in a period of time, mostly to prevent the log spam.
Stupid! Disable TELNET for anything but your local net. You do NOT want
plain text sent over the internet!
As for SSH, moving it off of port 22 seems to quiet things down. Use one
of the port numbers in the ephemeral range like 22222. Of course, you'll
need to tell your ssh client that you're using a different port using the
-p option.
--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG
Well I speak to machines with the voice of humanity.
On 26 Nov 2013, at 22:45, Mark Benson <md.benson at gmail.com> wrote:
We get them by the shedload on our work hosting server. We run CPHulk on there to keep them out. I'd suggest implementing some kind of 'block IP for 24 hrs after x failed logins' scheme if you can. That usually forces them to move on.
Nah, they make good target practice and a real data source for my SIEM :)
Hello!
Oddly enough when my system is showing that port, then yes. But not as
many. I run a program on it that works along the lines of, you get
three tries, and then shown the doors.
-----
Gregg C Levine gregg.drwho8 at gmail.com
"This signature fought the Time Wars, time and again."
On Tue, Nov 26, 2013 at 5:32 PM, Sampsa Laine <sampsa at mac.com> wrote:
Am I the only one who's almost constantly being hit by login scans (usually from China or weird places like Kazakhstan - sorry Oleg) on their Internet facing Telnet/SSH ports?
It's not like they get in or anything, my guess is that this is just part of a larger scan so if you guys are getting hit as well, I won't worry that I'm being targeted :)
sampsa <sampsa at mac.com>
mobile +44 7961 149465
Am I the only one who's almost constantly being hit by login scans
(usually from China or weird places like Kazakhstan - sorry Oleg) on
their Internet facing Telnet/SSH ports?
It's not like they get in or anything, my guess is that this is just
part of a larger scan so if you guys are getting hit as well, I won't
worry that I'm being targeted :)
Pretty much if it's connected to the internet, it's getting
dictionary-scanned on any open telnet and ssh ports. The scanners have
gotten a little smarter in the last 8 years or so -- they no longer
generate so many parallel connections that you notice them because of
load or socket starvation.
I put in firewall rules to block addresses which generate too many ssh
connections in a period of time, mostly to prevent the log spam.
De
We get them by the shedload on our work hosting server. We run CPHulk on there to keep them out. I'd suggest implementing some kind of 'block IP for 24 hrs after x failed logins' scheme if you can. That usually forces them to move on.
On 26 Nov 2013 22:32, "Sampsa Laine" <sampsa at mac.com> wrote:
Am I the only one who's almost constantly being hit by login scans (usually from China or weird places like Kazakhstan - sorry Oleg) on their Internet facing Telnet/SSH ports?
It's not like they get in or anything, my guess is that this is just part of a larger scan so if you guys are getting hit as well, I won't worry that I'm being targeted :)
sampsa <sampsa at mac.com>
mobile +44 7961 149465
Am I the only one who's almost constantly being hit by login scans (usually from China or weird places like Kazakhstan - sorry Oleg) on their Internet facing Telnet/SSH ports?
It's not like they get in or anything, my guess is that this is just part of a larger scan so if you guys are getting hit as well, I won't worry that I'm being targeted :)
sampsa <sampsa at mac.com>
mobile +44 7961 149465
On 25 Nov 2013, at 09:01, Erik Olofsen <e.olofsen at xs4all.nl> wrote:
And recent XTerm versions are capable of displaying Sixel graphics, but need to be configured/compiled with --enable-sixel-graphics!
Erik
Got something that'll build with a simple "./configure ; make ; make install" on OS X?
I find building Unix stuff on OS X tedious, something's always broken with dyld or something..
And recent XTerm versions are capable of displaying Sixel graphics, but need to be configured/compiled with --enable-sixel-graphics!
Erik
On Mon, Nov 25, 2013 at 08:30:50AM +0000, Sampsa Laine wrote:
On 24 Nov 2013, at 22:58, Johnny Billquist <bqt at softjar.se> wrote:
I can only agree. I've checked both iTerm and iTerm2 several times, and the terminal emulation sucks. Not usable, if you ask me.
The only decent VT emulation I know of (apart from DEC stuff) is actually xterm. And xterm is available on a MAC as well.
That, along with a full MAC keyboard (the one with the numeric keypad) will do pretty much all keys you'd normally want straight out of the box.
And xmodmap is your friend, if you want to customize things more, along with the resources for xterm.
It's weird, I just haven't had these problems with either Terminal.app or iTerm/iTerm2 - but I guess if they get irritating enough I'll swap to xterm.
sampsa
On 24 Nov 2013, at 22:58, Johnny Billquist <bqt at softjar.se> wrote:
I can only agree. I've checked both iTerm and iTerm2 several times, and the terminal emulation sucks. Not usable, if you ask me.
The only decent VT emulation I know of (apart from DEC stuff) is actually xterm. And xterm is available on a MAC as well.
That, along with a full MAC keyboard (the one with the numeric keypad) will do pretty much all keys you'd normally want straight out of the box.
And xmodmap is your friend, if you want to customize things more, along with the resources for xterm.
It's weird, I just haven't had these problems with either Terminal.app or iTerm/iTerm2 - but I guess if they get irritating enough I'll swap to xterm.
sampsa
