Need advice about breakin attempt

nessuno_at_wigner.berkeley.edu
Date: 06/29/05 

Date: 29 Jun 2005 11:52:29 -0700

I'm an intermediate level linux user. I'm running Suse 9.1 on a Dell
system, which is used as scientific computer in a university
environment, with a small number of users. I'm using the openssh that
comes with the Suse distribution, and my system is up-to-date.

I have experienced persistent breakin attempts for the last several
months, as I discovered from the sshd messages in the system log. As
far as I can tell, there have been no attempts made on my mail server
(postfix) or imap server (the only other services I have active). Here
is a sample of the log, where I have changed the domain name:

Jun 15 05:21:36 myhost sshd[20706]: Illegal user richer from
::ffff:211.95.70.2
Jun 15 05:21:40 myhost sshd[20708]: Illegal user fluffy from
::ffff:211.95.70.2
Jun 15 05:21:45 myhost sshd[20710]: Illegal user gold from
::ffff:211.95.70.2
Jun 15 05:21:49 myhost sshd[20712]: Illegal user tomcat from
::ffff:211.95.70.2
Jun 15 05:21:54 myhost sshd[20714]: Illegal user cosinus from
::ffff:211.95.70.2
Jun 15 05:22:06 myhost sshd[20716]: Did not receive identification
string from ::ffff:211.95.70.2
Jun 15 08:12:28 myhost sshd[21297]: Did not receive identification
string from ::ffff:59.120.195.127
Jun 15 08:19:20 myhost sshd[21372]: Illegal user jack from
::ffff:59.120.195.127
Jun 15 08:19:22 myhost sshd[21374]: Illegal user marvin from
::ffff:59.120.195.127
Jun 15 08:19:25 myhost sshd[21376]: Illegal user andres from
::ffff:59.120.195.127
Jun 15 08:19:27 myhost sshd[21378]: Illegal user barbara from
::ffff:59.120.195.127
Jun 15 08:19:29 myhost sshd[21380]: Illegal user adine from
::ffff:59.120.195.127
Jun 15 08:19:32 myhost sshd[21382]: Illegal user test from
::ffff:59.120.195.127
Jun 15 08:19:34 myhost sshd[21384]: Illegal user guest from
::ffff:59.120.195.127
Jun 15 08:19:36 myhost sshd[21386]: Illegal user db from
::ffff:59.120.195.127

It looks like someone is hitting me with a dictionary of user names,
and that they don't know any legitimate user names. The episodes
invove hundreds of hits, separated by 2-3 seconds, lasting over several
minutes, with gaps of some hours in between. Sometimes I get lengthy
repitions of a single user name (presumably they are trying different
passwords):

Jun 19 03:56:49 myhost sshd[11955]: Illegal user anderson from
::ffff:211.250.2.131
Jun 19 03:56:50 myhost sshd[11957]: Illegal user anderson from
::ffff:211.250.2.131
Jun 19 03:56:52 myhost sshd[11959]: Illegal user anderson from
::ffff:211.250.2.131
Jun 19 03:56:53 myhost sshd[11961]: Illegal user anderson from
::ffff:211.250.2.131
Jun 19 03:56:54 myhost sshd[11963]: Illegal user anderson from
::ffff:211.250.2.131
Jun 19 03:56:56 myhost sshd[11965]: Illegal user anderson from
::ffff:211.250.2.131

and so on. The ip addresses change; sometimes I can resolve them (one
is a high school in New York), sometimes not. Sometimes I get hit by
more than one ip address at once (max two, I think).

I'd like some advice about what to do about this. For example, it
would be nice to block an ip address for some period of time after some
number of failed login attempts. I looked at the sshd configuration
file and changed some parameters to tighten things up, but I didn't see
any way to really stop this kind of behavior.

I googled for advice on this kind of problem, but didn't find anything
useful. I know the best advice may be to look into firewall rules, but
I haven't investigated that yet.

Thanks,
Robert Littlejohn