glgxg at sbcglobal.net
Mon Jan 12 23:39:22 UTC 2009
On 01/12/2009 03:18 PM, Phil Tann wrote:
> NoOp wrote:
>> For where it came from have a look in /var/log/auth.log
>> It should show something along the lines of:
>> Jan 12 14:06:22 <user> sshd: Accepted password for <username>
>> from 192.168.4.103 port 54921 ssh2
>> Jan 12 14:06:22 <user> sshd: pam_unix(sshd:session): session
>> opened for user <username> by (uid=0)
>> Jan 12 14:06:32 <user> sshd: pam_unix(sshd:session): session
>> closed for user <username>
>> $ cat /var/log/auth.log |grep sshd
>> To stop it happening again, I'd recommend looking into denyhosts &
>> changing your ssh port number from the default 22.
> I have found from personal experience that if a "determined person"
> keeps hunting they go WAY outside the rane for standard ports. So I use
> port 19 for ssh on a couple of systems I maintain. Its very occasional
> that I even get a hit on 19. :)
> Good Luck!
> Phil Tann
> phil.tann at gmail.com
The only problem that I see with that is 19 is in the well known ports
range (1-1023), is used by CHARGEN in linux/unix, and does get hit as well:
as it was/is used to attack MS:
[Access Violation in Dns.exe Caused by Malicious Telnet Attack]
Were I you, I'd select a different port that is not commonly used.
More information about the ubuntu-users