hackers visits every 2 days. How to trap him?

[Roy@ENHOST]

Hi guys,

One of my server's security was compromised.
And the hacker visits every 2 days.
What can I install to trap and track him?

[sawbuck]

Logcheck might be something to take a look at.
http://linux.maruhn.com/sec/logcheck.html

[Roy@ENHOST]

Hi guys,

I went to FTP section and downloaded the raw FTP log.
I nabbed that fella.

212.174.89.155 - - [25/Jun/2004:06:51:20 -0400] "GET / HTTP/1.1" 200 660 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; 118K501TUR)"

Went to http://www.ip2location.com/free.asp to check out the IP:212.174.89.155

"212.174.89.155 TR TURKEY"
Got him!

Then I used IP tables to block the whole class C IP.
iptables -I INPUT -s 212.174.89.0/24 -j DROP

Am I safe to say he can't break in? Can he use proxy to get in?

[SarcNBit]

Originally posted by Roy@ENHOST
Am I safe to say he can't break in? Can he use proxy to get in?

If all you did was ban his IP (or the class C range of it) using iptables, then I would say yes.

[Roy@ENHOST]

Through Proxy?

Originally posted by SarcNBit
If all you did was ban his IP (or the class C range of it) using iptables, then I would say yes.

[SarcNBit]

Sure. It also is not that difficult to obtain an IP on a different class C subnet. Most ISPs I have dealt with switch customers between two or three different subnets regularly. Keep in mind, that you could ban all Turkish IPs, but that would not eliminate the possibility of the person using a shell account and simply using an account originating in another country.

What was this person doing on your box? How was your server compromised? Banning the hackers IP is OK, but eliminating the source of the vulnerability is better.

[naguib2000]

if i was a hacker , i will never see it a problem for a victim to block my ip

Hackers can log in to your server from another another server for example

In my opinion eliminating the source of the vulnerability is not just better .... it is a must !!!!