The way it's supposed to work
All three of my internet-facing servers at work reported, in this morning’s status emails, that they had rejected repeated attempts to connect through SSH from the same IP address. From the log summaries, it looked as though someone had essentially just started trying logins and passwords, using some common “role” usernames, but also trying root just in case they could hit the jackpot and guess the superuser password. (Some systems, including mine ours, won’t let remote users log in directly as root for just this reason; instead, you need to log in as a particular unprivileged user, then request elevated privileges.)
I checked the IP address at ARIN, and discovered it belonged to a particular American university. (This was a surprise; I was expecting an anonymous Romanian or Chinese netblock.) I sent a terse, but cordial email to the technical contact listed, explaining what I’d seen.
Within half an hour, I had a response from an individual at the university: they’d shut down that system yesterday morning. Given the time my servers file their reports and when the university reported the IP went dark, they must have hit me in the early morning, and the university had the system shut down within five hours of the earliest time they could’ve probed my servers.
Those guys are on the ball. I’m impressed. If we could get that kind of response from all ISPs on spam runs, there wouldn’t be a spam problem.
Now playing: See Your Lights from Forget Yourself by The Church
![[Swinging off a dragger, Cundy's Harbor, Maine, July 4th, 2003]](/images/cundys_harbor.jpg)