auth.log showing attempted access
Brad Johnson
brad at bkjohnson.com
Wed Aug 15 06:30:16 UTC 2007
On Tue, 2007-08-14 at 20:46 -0400, Yuelin Li wrote:
> I see many entries like this in /var/log/auth.log
>
> sshd[15144]: Failed password for invalid user josh from::ffff:89.123.234.25 port 2092 ssh2
>
> How can I trace this computer's location? More importantly, how can I
> report this person to his/her ISP? "host 89.123.234.25" showed that
> this DNS entry can not be reversed. Traceroute stops at
> FR1-Frankfurt.teleglobe.net (80.231.64.6). I have added iptables
> rules (see http://www.debian-administration.org/articles/187) to try
> to tighten SSH access. I feel I should do something about it because
> I get a few hundred entries a day coming from the same IP address.
>
> Yuelin.
The Denyhosts package works wonderfully. It can ban users by adding an
entry to your /etc/hosts.deny file based on the auth.log and can do it
for just sshd, the entire system or any combination of services on your
machine. Additionally, it can treat attempts for root, a valid user and
invalid users differently which is sometimes desirable. Lastly, you can
setup expiry so bans are removed after a period of time. It's even smart
enough to know if a host has been added, then expired and re-added and
can permanently ban as you desire.
Brad Johnson
>
>
> =====================================================================
>
> Please note that this e-mail and any files transmitted with it may be
> privileged, confidential, and protected from disclosure under
> applicable law. If the reader of this message is not the intended
> recipient, or an employee or agent responsible for delivering this
> message to the intended recipient, you are hereby notified that any
> reading, dissemination, distribution, copying, or other use of this
> communication or any of its attachments is strictly prohibited. If
> you have received this communication in error, please notify the
> sender immediately by replying to this message and deleting this
> message, any attachments, and all copies and backups from your
> computer.
>
>
More information about the ubuntu-users
mailing list