SSH hacked?

NoOp glgxg at
Thu Jan 15 07:24:03 UTC 2009

On 01/14/2009 07:43 AM, Kent Borg wrote:
> NoOp wrote:
>> why don't you try as I suggested? Put a machine w/ssh on an open
>> DSL/Cable modem and watch your logs for a few days?
> I don't need to put up such a test, I already have such a thing.
> Checking the log file is quite easy...
> [check, check. check]
> As always, there have been break in attempts. These attempts came from
> different IP addresses, and you suggested I will attract attacks like
> flies to honey--but for the moment let's assume you are wrong on that
> point and assume that these attacks are really just a single coordinated
> attacker.

I'm not, and the attack are not. If you believe that, the Google is

I [check, check. check]'ed my router logs and not a single 22 attempt.
The router doesn't have 22 enabled and all 22 traffic is limited to the
local LAN.

I then [check, check. check] another system that doesn't have a router
w/firewall but instead just has a DSL modem w/Ubuntu + denyhosts &
fail2ban; surprise, I clear the logs, change the IP and watch it for 12
hours. Yep; first a few 22 attempts, then a few more, then more... at
the end of the 12 period I see over 120 22's. Pretty interesting eh? Of
course nothing gets in, but it's interesting to watch.

I do the same on another machine (same setup), but this time change the
22 to something else and [check, check. check]... and monitor for 12
hours. Huh... no 22 attempts, nothing else. Seems pretty quiet on the
western front.

More information about the ubuntu-users mailing list