On Thu, 17 Jun 2010 07:48:18 EDT, Gary Baribault said: > Both of these systems are within one /21 and get attacked > regularly. I run Denyhosts on them, and update the central server once > an hour with attacking IPs, and obviously also download the public > hosts.deny list. > > These machines get hit regularly, so often that I don't really > care, it's fun to make the script kiddies waste their time! But in > this instance, only my home box is being attacked... someone is > burning a lot of cycles and hosts to do a distributed dictionary > attack on my one box! One of two things springs to mind: 1) when they scanned your address space looking for SSH hosts to try to whack, your one host didn't report as a target for some random reason. 2) they're handling their list of targets in a pseudo-random order. We've seen attacking IPs pound on 2 or 3 hosts in our /16 for a few days, then go away, and 2-3 weeks later return to pound on other targets. Bottom line: Either they didn't notice your other box, or they'll get around to poking it in a few weeks...
Attachment:
pgpGuqPAiqWVI.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/