[opensuse] dictionary attacks



Just about every day, often several times a day, my logs include hours
of log entries that look like this:

Jul 16 00:35:25 raid5 sshd[6966]: Invalid user admin from 83.18.244.42
Jul 16 00:35:30 raid5 sshd[6968]: Invalid user admin from 83.18.244.42
Jul 16 00:35:35 raid5 sshd[6972]: Invalid user admin from 83.18.244.42
Jul 16 00:35:40 raid5 sshd[6974]: Invalid user admin from 83.18.244.42
Jul 16 00:35:56 raid5 sshd[6981]: Invalid user test from 83.18.244.42
Jul 16 00:36:01 raid5 sshd[6983]: Invalid user test from 83.18.244.42
Jul 16 00:36:06 raid5 sshd[6985]: Invalid user webmaster from 83.18.244.42
Jul 16 00:36:11 raid5 sshd[6987]: Invalid user username from 83.18.244.42
Jul 16 00:36:16 raid5 sshd[6989]: Invalid user user from 83.18.244.42
Jul 16 00:36:26 raid5 sshd[6994]: Invalid user admin from 83.18.244.42
Jul 16 00:36:31 raid5 sshd[6996]: Invalid user test from 83.18.244.42
Jul 16 00:36:51 raid5 sshd[7017]: Invalid user danny from 83.18.244.42
Jul 16 00:36:56 raid5 sshd[7019]: Invalid user alex from 83.18.244.42
Jul 16 00:37:01 raid5 sshd[7022]: Invalid user brett from 83.18.244.42
Jul 16 00:37:06 raid5 sshd[7024]: Invalid user mike from 83.18.244.42
Jul 16 00:37:12 raid5 sshd[7027]: Invalid user alan from 83.18.244.42
Jul 16 00:37:18 raid5 sshd[7029]: Invalid user data from 83.18.244.42
Jul 16 00:37:22 raid5 sshd[7031]: Invalid user www-data from 83.18.244.42
Jul 16 00:37:28 raid5 sshd[7033]: Invalid user http from 83.18.244.42
Jul 16 00:37:33 raid5 sshd[7037]: Invalid user httpd from 83.18.244.42
Jul 16 00:37:38 raid5 sshd[7040]: Invalid user pop from 83.18.244.42


..... and so on, ad nausium. Obviously, someone is trying to break in
to my system via SSH. So far as I can tell from examining my logs and
my systems (usually at least 4 other systems on my LAN are under
simultaneous attacks from the same source(s), the daemon is
successsfully withstanding the assault and the system is not compromised.

My question is what, if any firewall rule could I write that could
detect such attacks and automatically shut down forwarding packets from
the offending node or domain? That would give me an additional layer
of defense as well as freeing up a significant amount of log file space.

Thanks in advance,
Richard
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx



Relevant Pages

  • Re: [opensuse] dictionary attacks
    ... On Monday 16 July 2007 10:02:54 G T Smith wrote: ... of log entries that look like this: ... and so on, ad nausium. ... simultaneous attacks from the same source, ...
    (SuSE)
  • Re: Reading Transaction Log Files
    ... anything published as to how to interpret the log entries. ... Andrew J. Kelly SQL MVP ... >> logs and providing a gui to easily put all this together. ...
    (microsoft.public.sqlserver.programming)
  • Re: How to clear all the console logs in OS 10.4.6 ?
    ... When I opened all the logs in console, and tried to clear the old log ... no permanent clearing of old log entries. ...
    (comp.sys.mac.system)
  • Re: How to clear all the console logs in OS 10.4.6 ?
    ... When I opened all the logs in console, and tried to clear the old log ... no permanent clearing of old log entries. ...
    (comp.sys.mac.system)
  • Re: Transaction log activity
    ... there doesn't seem to be much mail flowing. ... Share some of the log entries ... > 11gb of transaction logs during the overnight hours? ... > am trying to id the source of all of these trans logs. ...
    (microsoft.public.exchange.admin)