auth.log showing attempted access

Miano, Steven M. Steven.Miano at mybrighthouse.com
Wed Aug 15 13:29:19 UTC 2007 

> I see many entries like this in /var/log/auth.log
>
> sshd[15144]: Failed password for invalid user josh from::ffff:89.123.234.25 port 2092 ssh2
>
> How can I trace this computer's location?  More importantly, how can I
> report this person to his/her ISP?  "host 89.123.234.25" showed that
> this DNS entry can not be reversed.  Traceroute stops at
> FR1-Frankfurt.teleglobe.net (80.231.64.6).  I have added iptables
> rules (see http://www.debian-administration.org/articles/187) to try
> to tighten SSH access.  I feel I should do something about it because
> I get a few hundred entries a day coming from the same IP address.
>
> Yuelin.
>
>
>      =====================================================================
>
>      Please note that this e-mail and any files transmitted with it may be
>      privileged, confidential, and protected from disclosure under
>      applicable law. If the reader of this message is not the intended
>      recipient, or an employee or agent responsible for delivering this
>      message to the intended recipient, you are hereby notified that any
>      reading, dissemination, distribution, copying, or other use of this
>      communication or any of its attachments is strictly prohibited.  If
>      you have received this communication in error, please notify the
>      sender immediately by replying to this message and deleting this
>      message, any attachments, and all copies and backups from your
>      computer.
>
>

Unfortunately this is part of being connected to the internet. The suggestions already given are a great start. I too use fail2ban, as well as iptables, and moved the port from 22 to 2222. They can still scan and find your ssh ports though - however, it will dramatically reduce the amount of knocks your receiving on that box. I would definitely double check and make sure that you have only the required shell accounts listed in your allow file, and root disabled as a login through ssh.

Best of luck mate!

~Steven

CONFIDENTIALITY NOTICE: This e-mail may contain information that is privileged, confidential or otherwise protected from disclosure. If you are not the intended recipient of this e-mail, please notify the sender immediately by return e-mail, purge it and do not disseminate or copy it.

More information about the ubuntu-users mailing list