auth.log showing attempted access

Karl Auer kauer at biplane.com.au
Wed Aug 15 01:01:11 UTC 2007


On Tue, 2007-08-14 at 20:46 -0400, Yuelin Li wrote:
> I see many entries like this in /var/log/auth.log
> 
> sshd[15144]: Failed password for invalid user josh from::ffff:89.123.234.25 port 2092 ssh2
> 
> How can I trace this computer's location?  More importantly, how can I
> report this person to his/her ISP?

I can't answer the second question, but you can reduce the impact of
these scripted attacks in two ways - firstly by moving sshd to another
port, and secondly by requiring a public key for ssh logins rather than
allowing passwords.

Moving sshd to another port (222 or 2222 or something else of your
choosing) means that for most of the scripted attacks, it looks like you
are not running sshd at all. Their attempts end in "connection refused".
This alone will knock out most such attacks, and even if they continue,
will reduce the amount of data transferred n each attempt.

Requiring a public key reduces the risk that one of these scripted
attacks will actually find a matching username and password. The
downside is that your users need to be a little more savvy, and (unless
they carry their keypairs around with them) they are limited to logging
in from machines where their keys are available.

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)                   +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/                  +61-428-957160 (mob)





More information about the ubuntu-users mailing list