auth.log showing attempted access
Miano, Steven M.
Steven.Miano at mybrighthouse.com
Wed Aug 15 13:29:19 UTC 2007
> I see many entries like this in /var/log/auth.log
>
> sshd[15144]: Failed password for invalid user josh from::ffff:89.123.234.25 port 2092 ssh2
>
> How can I trace this computer's location? More importantly, how can I
> report this person to his/her ISP? "host 89.123.234.25" showed that
> this DNS entry can not be reversed. Traceroute stops at
> FR1-Frankfurt.teleglobe.net (80.231.64.6). I have added iptables
> rules (see http://www.debian-administration.org/articles/187) to try
> to tighten SSH access. I feel I should do something about it because
> I get a few hundred entries a day coming from the same IP address.
>
> Yuelin.
>
>
> =====================================================================
>
> Please note that this e-mail and any files transmitted with it may be
> privileged, confidential, and protected from disclosure under
> applicable law. If the reader of this message is not the intended
> recipient, or an employee or agent responsible for delivering this
> message to the intended recipient, you are hereby notified that any
> reading, dissemination, distribution, copying, or other use of this
> communication or any of its attachments is strictly prohibited. If
> you have received this communication in error, please notify the
> sender immediately by replying to this message and deleting this
> message, any attachments, and all copies and backups from your
> computer.
>
>
Unfortunately this is part of being connected to the internet. The suggestions already given are a great start. I too use fail2ban, as well as iptables, and moved the port from 22 to 2222. They can still scan and find your ssh ports though - however, it will dramatically reduce the amount of knocks your receiving on that box. I would definitely double check and make sure that you have only the required shell accounts listed in your allow file, and root disabled as a login through ssh.
Best of luck mate!
~Steven
CONFIDENTIALITY NOTICE: This e-mail may contain information that is privileged, confidential or otherwise protected from disclosure. If you are not the intended recipient of this e-mail, please notify the sender immediately by return e-mail, purge it and do not disseminate or copy it.
More information about the ubuntu-users
mailing list