auth.log showing attempted access

Dick Dowdell dick.dowdell at gmail.com
Wed Aug 15 00:53:27 UTC 2007 

You might try installing fail2ban for a start.  It will ban an IP address
for a specified time after a specified number of failed logins within a
specified period of time.  It's dramatically reduced robot attacks on my
servers.

sudo apt-get install fail2ban

Tracing IP addresses rarely provides any useful information about the real
attacker.



On 8/14/07, Yuelin Li <liy12 at mskcc.org> wrote:
>
> I see many entries like this in /var/log/auth.log
>
> sshd[15144]: Failed password for invalid user josh from::ffff:
> 89.123.234.25 port 2092 ssh2
>
> How can I trace this computer's location?  More importantly, how can I
> report this person to his/her ISP?  "host 89.123.234.25" showed that
> this DNS entry can not be reversed.  Traceroute stops at
> FR1-Frankfurt.teleglobe.net (80.231.64.6).  I have added iptables
> rules (see http://www.debian-administration.org/articles/187) to try
> to tighten SSH access.  I feel I should do something about it because
> I get a few hundred entries a day coming from the same IP address.
>
> Yuelin.
>
>
>      =====================================================================
>
>      Please note that this e-mail and any files transmitted with it may be
>      privileged, confidential, and protected from disclosure under
>      applicable law. If the reader of this message is not the intended
>      recipient, or an employee or agent responsible for delivering this
>      message to the intended recipient, you are hereby notified that any
>      reading, dissemination, distribution, copying, or other use of this
>      communication or any of its attachments is strictly prohibited.  If
>      you have received this communication in error, please notify the
>      sender immediately by replying to this message and deleting this
>      message, any attachments, and all copies and backups from your
>      computer.
>
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>



-- 
Regards,
Dick Dowdell
508-498-7919
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20070814/fd730557/attachment.html>

More information about the ubuntu-users mailing list