-
October 23rd, 2009, 03:33 PM
#1
Junior Member
tracing IP
We have a computer that is get a ton of failed log in attempts. I have the ip of the person that is trying to log in. I would like to find out more about where it is coming from. I i did a whois lookup but it didn't really help and I did a trace route but that didn't help.
How do i find out where/who it is?
-
October 23rd, 2009, 05:10 PM
#2
Member
did the whois come up with anything of use?
-
October 23rd, 2009, 06:11 PM
#3
Try this site. See if the hostname will give you any clues:
http://www.hcidata.info/host2ip.htm
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
-
October 23rd, 2009, 07:00 PM
#4
Junior Member
that was better then the whois site. it said it was from China which is not what arin said. http://ws.arin.net/whois/ said the country is AU. Is there anything I can do other then block that port on the firewall. I am guessing its just a script based on the random names they are trying to log in with.
-
October 24th, 2009, 03:14 AM
#5
Is it SSH? I have heard that a lot of SSH bruteforce attacks are coming from Chinese IPs. Now, whether or not the attacks are actually originating there is another issue.
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
-
October 24th, 2009, 08:37 PM
#6
is it a service that is required to be open to everyone? eg. if you're in the USA, and its for employees to do remote desktop, then you could block foreign ip's to that port (set of ports) if its supposed to be open for people to connect to, then your only real option is to block individual ip's that become abusive. Alternatively you can work with IDS & IPS on your perimeter to have them stopped at the edges based on their actions. You would set reasonable limits.. 5 attempts in a short period of time might be ok, but 10 in that same time frame would indicate attack. etc..
-
October 25th, 2009, 04:55 AM
#7
You can just setup the event viewer to not keep a log everytime worms grind services or when users turns on the computer and forget their login details.
-
October 26th, 2009, 08:21 PM
#8
Junior Member
yup its ssh attempts. thanks for the help everyone
-
October 28th, 2009, 02:44 PM
#9
Can you configure the firewall to simply block that IP address?
Regards,
Steve
IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com
Similar Threads
-
By RITESH GAUR in forum Newbie Security Questions
Replies: 18
Last Post: April 30th, 2006, 11:52 AM
-
By tonybradley in forum Miscellaneous Security Discussions
Replies: 2
Last Post: April 20th, 2005, 05:13 AM
-
By Owmen in forum Web Development
Replies: 2
Last Post: September 6th, 2004, 06:35 PM
-
By ne0gen in forum Newbie Security Questions
Replies: 7
Last Post: April 6th, 2004, 09:34 PM
-
By mutt in forum The Security Tutorials Forum
Replies: 3
Last Post: December 3rd, 2001, 07:15 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|