Odd ssh attacks?
David Ford
david at blue-labs.org
Thu Jul 19 11:25:43 UTC 2007
Art Edwards wrote:
> Chris wrote:
>
>> Is anyone seeing this in /var/log/auth.log ?
>>
>> Apr 21 14:32:17 racerx sshd[16985]: (pam_unix) authentication failure;
>> logname= uid=0 euid=0 tty=ssh ruser=
>> rhost=6a.5d.1343.static.theplanet.com user=root
>> Apr 21 14:32:20 racerx sshd[16985]: Failed password for root from
>> 67.19.93.106 port 57194 ssh2
>> [..]
>>
> I just noticed the same sort of traffic and I'm in the middle of
> tightening things up. I just installed fail2ban. the jail.conf file is
> where you can specify the maximum number of times an IP address can ask
> for entry, as well as the timeout period until that IP can try again.
>
> [..]
[...]
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -m
recent --name sshprobe --set -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -m
recent --name sshprobe --update --seconds 60 --hitcount 3 -j LOGDROP
[...]
...making it happen in kernel space where it's far less resource
intensive and doesn't require any additional software installation or
configuration.
-david
More information about the ubuntu-users
mailing list