Odd ssh attacks?
Tony Arnold
tony.arnold at manchester.ac.uk
Sat Apr 21 20:39:48 UTC 2007
Chris,
Chris wrote:
> Is anyone seeing this in /var/log/auth.log ?
>
> Apr 21 14:32:17 racerx sshd[16985]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser=
> rhost=6a.5d.1343.static.theplanet.com user=root
> Apr 21 14:32:20 racerx sshd[16985]: Failed password for root from
> 67.19.93.106 port 57194 ssh2
> Apr 21 14:32:20 racerx sshd[16987]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser=
> rhost=6a.5d.1343.static.theplanet.com user=root
> Apr 21 14:32:22 racerx sshd[16987]: Failed password for root from
> 67.19.93.106 port 57590 ssh2
Yes, I see this kind of thing all the time. Once you have an ssh server
running, the hackers will find your machine and attempt to crack your
machine by trying commonly known user names and their default password.
The first thing to do is to set ssh so users have to use a key rather
than a password.
If you can set your firewall to limit which machines can connect to you
then that will help too. Depending on whether you know where your users
are, this may not be feasible.
Finally, I would look at the package 'fail2ban'. This will temporarily
block any IP that is attempting to login in to your machine over ssh,
but failing. This won;t stop it all together but it will significantly
cut it down.
Regards,
Tony.
--
Tony Arnold, IT Security Coordinator, University of Manchester,
IT Services Division, Kilburn Building, Oxford Road, Manchester M13 9PL.
T: +44 (0)161 275 6093, F: +44 (0)870 136 1004, M: +44 (0)773 330 0039
E: tony.arnold at manchester.ac.uk, H: http://www.man.ac.uk/Tony.Arnold
More information about the ubuntu-users
mailing list