In article <47E6160C.7080405@att.net>,
Steve M. Fabac, Jr. <smfabac@att.net> wrote:
>I have a client running SCO 5.0.5 with OpenSSH 3.4p1
>installed.

>Since SSH was installed, we have been getting hits from
>people on the Internet scanning port 22.

>Normally they give up and go away. However, I have noticed
>an unusual number of scans from foreign IP addresses using
>valid names on the system (the names below in the block for
>a single source IP are the *only* names logged from that
>IP):

.....

>Anybody have any ideas, thoughts or comments on this?

I've seen as high as 10,000 such attemts per day - but these are
on mail and web servers directly connected to a tier 1 backbone
[level 3] in their Orlando colo. They actually switch [not route]
connections across the US so I can see 1 hop from Orlando to
Seattle - that's one reason they carry about 60% of the 'net
traffic.

But as Nico said in his reply to you, you really shouldn't put SCO
on a directly connected internet.

IMO the ONLY machines that should be do so would be machines
that MUST be connected - eg mail servers and web servers. All
other machines should be behind a firewall.

Ideally 3 NIC cards connected to SWITCHES not hubs, would
have a public access IP, and those sould connect to the second set
[A DMZ area] with such things as your web servers, and the 3rd
NIC would go to your business machines on a totally private network
so nothing from the outside world would ever get through.

It's easy and cheap to set up a separate mail/web server
and keep you important machines hidden. I run on FreeBSD since
swithcing an ISP from SGIs back in 1995 and it can run on a slim
machine and is awfully solid.

If you think you are seeing a lot of attacks, just wait - they get
more numerous as time goes by.

Bill

--
Bill Vermillion - bv @ wjv . com