Re: Odd ssh attacks?

Chris,

Chris wrote:
Is anyone seeing this in /var/log/auth.log ?

Apr 21 14:32:17 racerx sshd[16985]: (pam_unix) authentication failure;
logname= uid=0 euid=0 tty=ssh ruser=
rhost=6a.5d.1343.static.theplanet.com user=root
Apr 21 14:32:20 racerx sshd[16985]: Failed password for root from
67.19.93.106 port 57194 ssh2
Apr 21 14:32:20 racerx sshd[16987]: (pam_unix) authentication failure;
logname= uid=0 euid=0 tty=ssh ruser=
rhost=6a.5d.1343.static.theplanet.com user=root
Apr 21 14:32:22 racerx sshd[16987]: Failed password for root from
67.19.93.106 port 57590 ssh2

Yes, I see this kind of thing all the time. Once you have an ssh server
running, the hackers will find your machine and attempt to crack your
machine by trying commonly known user names and their default password.

The first thing to do is to set ssh so users have to use a key rather
than a password.

If you can set your firewall to limit which machines can connect to you
then that will help too. Depending on whether you know where your users
are, this may not be feasible.

Finally, I would look at the package 'fail2ban'. This will temporarily
block any IP that is attempting to login in to your machine over ssh,
but failing. This won;t stop it all together but it will significantly
cut it down.

Regards,
Tony.
--
Tony Arnold, IT Security Coordinator, University of Manchester,
IT Services Division, Kilburn Building, Oxford Road, Manchester M13 9PL.
T: +44 (0)161 275 6093, F: +44 (0)870 136 1004, M: +44 (0)773 330 0039
E: tony.arnold@xxxxxxxxxxxxxxxx, H: http://www.man.ac.uk/Tony.Arnold

--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

Relevant Pages

  • SSH protocol2 without a password
    ... Have read 'ssh without a password' and apparently the problem lingers. ... # similar for protocol version 2 ... server listening on 0.0.0.0 Port 22 ... failed publickey for root from 192.168.0.1 port 32769 ssh2 ...
    (comp.security.ssh)
  • Re: sshd question
    ... Three days ago my Linux box stopped ... piotrs from 201.63.24.60 port 46229 ssh2 ... Couple of things on securing ssh. ...
    (comp.os.linux.networking)
  • it this is ssh issue ?
    ... ssh issue or DNS related problem? ... port 35375 ssh2 ...
    (RedHat)
  • RE: Anyone else seeing SSH scans?
    ... I have seen an significant increase of scans on our ssh ports... ... trying different accounts such as root or admin. ... port 41402 ssh2 ...
    (Incidents)
  • Re: ssh gives "Permission denied, please try again"
    ... port 22 on your internal machine, so you will need to keep ssh up to ... I configure the router to forward a different external port to 22 on my ... For good measure pick usernames that are none obvious, ... root/password: 163 times ...
    (uk.comp.os.linux)