[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSH Attacks - What to do?



If you are doing IPTABLES firewalling, just drop all
packets coming from that IP address.
Webmin makes this pretty easy.  
Now what would be slick is to add a script to auto add
a iptables rule to drop all packets from a particular
ip address after so many unsuccessful attempts.
Derek

--- Tim McDonough <tim@mcdonough.net> wrote:

> In reviewing the logs on my Linux server I see that
> for today and much 
> of yesterday someone has a machine set up that's
> trying to log in 
> every few seconds via SSH. They have had no success
> so far. Here's a 
> snippet of the message log, the file is huge with
> these things. (The 
> last two entries are me doing legitimate work.)
> 
> Jul 27 04:45:33 merlin sshd(pam_unix)[14815]: check
> pass; user unknown
> Jul 27 04:45:33 merlin sshd(pam_unix)[14815]:
> authentication failure; 
> logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=216.193.235.216
> 
> Jul 27 04:45:37 merlin sshd(pam_unix)[14817]: check
> pass; user unknown
> Jul 27 04:45:37 merlin sshd(pam_unix)[14817]:
> authentication failure; 
> logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=216.193.235.216
> 
> Jul 27 12:04:50 merlin samba(pam_unix)[14923]:
> session opened for user 
> tim by (uid=0)
> 
> Jul 27 14:21:28 merlin ftpd[14943]: wu-ftpd - TLS
> settings: control 
> allow, client_cert allow, data allow
> Jul 27 14:21:34 merlin ftpd[14943]: FTP session
> closed
> 
> For the time being I've shut off the ports in the
> little home gateway 
> but that's not a good long term solution. My son and
> I both use the 
> box remotely to access files for school and work.
> 
> Is there any way to stop this? Do I just depend on
> password security 
> or are there other tools I can readily apply to
> help?
> 
> I'd really like to stop it before it gets past the
> gateway. We have 
> metered wireless DSL service and if they are
> persistent enough it 
> could end up costing me money just for the failed
> attempts.
> 
> -- 
> Tim
> 
> -
> To unsubscribe, send email to majordomo@luci.org
> with
> "unsubscribe luci-discuss" in the body.
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.