auth.log showing attempted access

Felipe Figueiredo philsf79 at
Wed Aug 15 15:47:53 UTC 2007

On Wednesday 15 August 2007 10:29:19 Miano, Steven M. wrote:

> >
> >
> Unfortunately this is part of being connected to the internet. The 
suggestions already given are a great start. I too use fail2ban, as well as 
iptables, and moved the port from 22 to 2222. They can still scan and find 
your ssh ports though - however, it will dramatically reduce the amount of 
knocks your receiving on that box. I would definitely double check and make 
sure that you have only the required shell accounts listed in your allow 
file, and root disabled as a login through ssh.
> Best of luck mate!

Second that. What I also did, for my home computer (as well as fail2ban) was 
to only allow ssh keys authentication, and lock the login availability to a 
coulple of users. This way I'm pretty much secure, as long as I can trust the 
remote servers where my keys are stored. Since I do trust (I am the admin 
them alone) I also enable ssh-agent and disable the knownhosts hashing, so I 
can bash-auto-complete hostnames and only type the passphrase once. Security 
and practicity.

Concerning the other question, I usually email the abuse addresses available 
in whois queries, but don't usually get replies. Good luck. I decided to 
black list IPS's ip ranges (also available in the whois query), when I don't 
get answers, and attempts get repetitive. I automated this process by a 
separate script that loads the IPs/ranges to a particular chain in iptables, 
and flush it frequentely and re-add everything, without disrupting the 
ordinary rules. It's easy and functional, so I recommend you do.

Also, take a look in fwlogwatch and other NIDS' that can create block rules 
based on network activity, together with fail2ban that blocks based on log 


More information about the ubuntu-users mailing list