2007/10/9, T o n g <[EMAIL PROTECTED]>: > [The is a security configuration question. Let me try it here to see if I > can some valuable inputs before heading to newsgroup] > > Hi, > > I used to turn on my sshd just in case that I need to ssh back into my > box. But recently, I noticed that whenever I turn it on, almost instantly, > there will be a cracker attempting cracking into my sshd: > > $ tail -15 /var/log/auth.log > Oct 6 10:52:05 cxmr sshd[7374]: Invalid user deutch from 220.229.57.152 > Oct 6 10:52:05 cxmr sshd[7374]: Address 220.229.57.152 maps to > adsl-220-229-57-152.kh.sparqnet.net, but this does not map back to the > address - POSSIBLE BREAK-IN ATTEMPT! > Oct 6 10:52:05 cxmr sshd[7374]: (pam_unix) check pass; user unknown > Oct 6 10:52:05 cxmr sshd[7374]: (pam_unix) authentication failure; logname= > uid=0 euid=0 tty=ssh ruser= rhost=220.229.57.152 > Oct 6 10:52:07 cxmr sshd[7374]: Failed password for invalid user deutch > from 220.229.57.152 port 46369 ssh2 > Oct 6 10:52:10 cxmr sshd[7379]: Invalid user german from 220.229.57.152 > Oct 6 10:52:10 cxmr sshd[7379]: Address 220.229.57.152 maps to > adsl-220-229-57-152.kh.sparqnet.net, but this does not map back to the > address - POSSIBLE BREAK-IN ATTEMPT! > Oct 6 10:52:10 cxmr sshd[7379]: (pam_unix) check pass; user unknown > Oct 6 10:52:10 cxmr sshd[7379]: (pam_unix) authentication failure; logname= > uid=0 euid=0 tty=ssh ruser= rhost=220.229.57.152 > Oct 6 10:52:12 cxmr sshd[7379]: Failed password for invalid user german > from 220.229.57.152 port 46536 ssh2 > Oct 6 10:52:20 cxmr sshd[7384]: Invalid user hitler from 220.229.57.152 > Oct 6 10:52:20 cxmr sshd[7384]: Address 220.229.57.152 maps to > adsl-220-229-57-152.kh.sparqnet.net, but this does not map back to the > address - POSSIBLE BREAK-IN ATTEMPT! > Oct 6 10:52:20 cxmr sshd[7384]: (pam_unix) check pass; user unknown > Oct 6 10:52:20 cxmr sshd[7384]: (pam_unix) authentication failure; logname= > uid=0 euid=0 tty=ssh ruser= rhost=220.229.57.152 > Oct 6 10:52:22 cxmr sshd[7384]: Failed password for invalid user hitler > from 220.229.57.152 port 46858 ssh2 > > What's your recommendation to such situation? > > PS. > > 1. I used to track down their ISP and complain about the cracking attempts, > but nobody seems to be listening to me, and there has never been any > responses. > > 2. I think the (default Debian) sshd configuration should be changed. Even > when someone attempts cracking by typing in user names and passwords > manually in front of tty will be penalized. But I've notice my sshd joyfully > allows thousands of cracking attempts within minutes. This is rather silly, > or incompetent. > > Please comment. > > thanks
Hello, you can install denyhosts: $ apt-cache search denyhosts denyhosts - an utility to help sys admins thwart ssh hackers or you can change the default ssh port. Best regards, Sergio Cuellar -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
