Anon E. Muss wrote:
> On Fri, 19 Sep 2008 09:56:24 -0500, Allen Kistler
> <ackistler@oohay.moc> wrote:
>
>> Anon E. Muss wrote:
>>> I recently noticed excessive acitivity on my router's activity LED and
>>> did a little investigating. As immediate action, I used a big hammer
>>> and firewalled off 218/8 until I can figure out what is going on here.
>>> Yesterday, it was 201/8.
>>>
>>> Below is most of output of netstat. Can someone let me know what is
>>> going on here? SynFlood?? Also, any suggestions??
>>>
>>> ===== BEGIN =====
>>> Active Internet connections (w/o servers)
>>> Proto Recv-Q Send-Q Local Address Foreign Address State
>>>
>>> [snip]
>> Welcome to the Internet. It's been here for a while. Where have you been?
>
> Been here a while.
>
>> If you have services offered to the world, lots of people are going to
>> try to break in. If you have ssh turned on with guessable usernames
>> (like, you know, root, ftp, httpd, or bin) and authentication using only
>> password enabled, eventually someone is going to guess your lame password.
>
> Not *my* password.

All passwords are lame. If your system is available from the Internet,
crackers have a large amount of time to try a large amount of
username/password combinations. Disable passwords. Use public keys.
1024 bits = 128 bytes is better than any password you think is good.

> I will go through the users and find out who used a lame-o password.
>
> Thanks for the help.