auth.log showing attempted access
Dick Dowdell
dick.dowdell at gmail.com
Wed Aug 15 00:53:27 UTC 2007
You might try installing fail2ban for a start. It will ban an IP address
for a specified time after a specified number of failed logins within a
specified period of time. It's dramatically reduced robot attacks on my
servers.
sudo apt-get install fail2ban
Tracing IP addresses rarely provides any useful information about the real
attacker.
On 8/14/07, Yuelin Li <liy12 at mskcc.org> wrote:
>
> I see many entries like this in /var/log/auth.log
>
> sshd[15144]: Failed password for invalid user josh from::ffff:
> 89.123.234.25 port 2092 ssh2
>
> How can I trace this computer's location? More importantly, how can I
> report this person to his/her ISP? "host 89.123.234.25" showed that
> this DNS entry can not be reversed. Traceroute stops at
> FR1-Frankfurt.teleglobe.net (80.231.64.6). I have added iptables
> rules (see http://www.debian-administration.org/articles/187) to try
> to tighten SSH access. I feel I should do something about it because
> I get a few hundred entries a day coming from the same IP address.
>
> Yuelin.
>
>
> =====================================================================
>
> Please note that this e-mail and any files transmitted with it may be
> privileged, confidential, and protected from disclosure under
> applicable law. If the reader of this message is not the intended
> recipient, or an employee or agent responsible for delivering this
> message to the intended recipient, you are hereby notified that any
> reading, dissemination, distribution, copying, or other use of this
> communication or any of its attachments is strictly prohibited. If
> you have received this communication in error, please notify the
> sender immediately by replying to this message and deleting this
> message, any attachments, and all copies and backups from your
> computer.
>
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>
--
Regards,
Dick Dowdell
508-498-7919
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20070814/fd730557/attachment.html>
More information about the ubuntu-users
mailing list