-----Original Message----- From: Dustin Decker

Immediately after I replied to your earlier post, I thought to myself, "I really aught to ask Brian what the traffic looked like." If it's UDP, I'd almost wholesale expect it is spoofed. Same applies to ICMP, but if you're looking at genuine TCP traffic, with an established three-way-handshake, it's a different story. (If you're working solely on the basis of what you find in syslog and the like, you might not be able to answer the question either. [Insert soapbox about logging all packets that traverse the border here.])

Should definitely be TCP traffic. Attempts to log in via ssh from various ports. I don't think there's a port over 1024 on my system he/she left untouched. There may have been other ports/ services that were attempted, but they would have been dropped as part of the firewall rules. Not sure if I'm logging all the various ports/services such as ftp,etc. Don't want to open my server up to too easy of a DOS attack, so I basically ignore the impossible services.