[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SSH Attacks - What to do?
- To: luci-discuss@luci.org
- Subject: Re: SSH Attacks - What to do?
- From: Derek Agar <derekagar@yahoo.com>
- Date: Wed, 27 Jul 2005 14:16:53 -0700 (PDT)
- DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=6Zr4R38KSWZlvJGjiv4ClxEU5zMacmETAoD2lxBAAn5Hgkb0JggIg4hxPsLzXOnUR4mKhbRwBJ21UIGHT8qL6SFCuWcklN3+DPeIRgV6GNIprFSVbW8qQJdjvfdoGt3FbXBrul+fdr1Jl66LOAQnR3r3Ab+nrcC1KO9UKv6I6/I= ;
- In-Reply-To: <42E7EC49.5090601@mcdonough.net>
- Organization: Linux Users of Central Illinois
- Reply-To: dagar@computer.org
- Sender: luci-discuss-owner@luci.org
If you are doing IPTABLES firewalling, just drop all
packets coming from that IP address.
Webmin makes this pretty easy.
Now what would be slick is to add a script to auto add
a iptables rule to drop all packets from a particular
ip address after so many unsuccessful attempts.
Derek
--- Tim McDonough <tim@mcdonough.net> wrote:
> In reviewing the logs on my Linux server I see that
> for today and much
> of yesterday someone has a machine set up that's
> trying to log in
> every few seconds via SSH. They have had no success
> so far. Here's a
> snippet of the message log, the file is huge with
> these things. (The
> last two entries are me doing legitimate work.)
>
> Jul 27 04:45:33 merlin sshd(pam_unix)[14815]: check
> pass; user unknown
> Jul 27 04:45:33 merlin sshd(pam_unix)[14815]:
> authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=216.193.235.216
>
> Jul 27 04:45:37 merlin sshd(pam_unix)[14817]: check
> pass; user unknown
> Jul 27 04:45:37 merlin sshd(pam_unix)[14817]:
> authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=216.193.235.216
>
> Jul 27 12:04:50 merlin samba(pam_unix)[14923]:
> session opened for user
> tim by (uid=0)
>
> Jul 27 14:21:28 merlin ftpd[14943]: wu-ftpd - TLS
> settings: control
> allow, client_cert allow, data allow
> Jul 27 14:21:34 merlin ftpd[14943]: FTP session
> closed
>
> For the time being I've shut off the ports in the
> little home gateway
> but that's not a good long term solution. My son and
> I both use the
> box remotely to access files for school and work.
>
> Is there any way to stop this? Do I just depend on
> password security
> or are there other tools I can readily apply to
> help?
>
> I'd really like to stop it before it gets past the
> gateway. We have
> metered wireless DSL service and if they are
> persistent enough it
> could end up costing me money just for the failed
> attempts.
>
> --
> Tim
>
> -
> To unsubscribe, send email to majordomo@luci.org
> with
> "unsubscribe luci-discuss" in the body.
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.