[SWLUG] Odd traffic. What is going on here?

Neil Jones neil at nwjones.demon.co.uk
Tue May 8 19:02:11 UTC 2007


On Tue, 2007-05-08 at 15:49 +0100, Jonathan Wright wrote:
> Neil Jones wrote:
> > The modem is flashing like mad and sometimes there is disk activity. 
> > This has occurred when I have come back to my computer after being out
> > of the room for a while so I cannot be doing it.
> 
> If your computer is directly connected to the Internet and has a public 
> IP address then sporadic busts of traffic (and the hard-drive activity 
> that comes with it) are not unusual.
> 
> Pretty much every possible IP address will be regulary tested for holes, 
> exploits or just plain brute-force attacks.
> 
> In your case, it looks like someone is trying a brute-force attach on 
> the SSH port of your system trying to see if there's an account with a 
> weak password.
> 
> This will bring with it hard-drive activity as each failed login attempt 
> will be written to the log files.

Of course. I should have checked the log files. I have seen this many
times with server logs. Mostly then it is FTP they are trying to get at.
Checking the log that is exactly what is happening and the attempts are
pretty pathetic too.
> 
> Same goes with the firewall - if you have a log request at the end of 
> any of the rules (which is usually the case before your drop packets), 
> if anyone's scanning your system for open ports that can bring alot of 
> activity for both the modem and the hard drive.
> 
> Personally, I don't think it's that much to worry about. So long as you 
> have a firewall enabled and a minimum amount of ports, etc. open to the 
> Internet as is necessary then there's little change of any 'script 
> kiddies' from getting access.

I agree. Thanks 





More information about the Swlug mailing list