SSH hacked?

NoOp glgxg at
Mon Jan 12 23:39:22 UTC 2009

On 01/12/2009 03:18 PM, Phil Tann wrote:
> NoOp wrote:
>> For where it came from have a look in /var/log/auth.log
>> It should show something along the lines of:
>> Jan 12 14:06:22 <user> sshd[12412]: Accepted password for <username>
>> from port 54921 ssh2
>> Jan 12 14:06:22 <user> sshd[12414]: pam_unix(sshd:session): session
>> opened for user <username> by (uid=0)
>> Jan 12 14:06:32 <user> sshd[12414]: pam_unix(sshd:session): session
>> closed for user <username>
>> $ cat /var/log/auth.log |grep sshd
>> To stop it happening again, I'd recommend looking into denyhosts &
>> changing your ssh port number from the default 22.
> I have found from personal experience that if a "determined person" 
> keeps hunting they go WAY outside the rane for standard ports.  So I use 
> port 19 for ssh on a couple of systems I maintain.  Its very occasional 
> that I even get a hit on 19. :)
> Good Luck!
> Phil Tann
> phil.tann at

The only problem that I see with that is 19 is in the well known ports
range (1-1023), is used by CHARGEN in linux/unix, and does get hit as well:


as it was/is used to attack MS:
[Access Violation in Dns.exe Caused by Malicious Telnet Attack]

Were I you, I'd select a different port that is not commonly used.

More information about the ubuntu-users mailing list