On Sunday 18 September 2005 13:36, Daevid Vincent wrote: > I was poking around my system today and noticed a log that I never knew > existed. > > /var/log/pwdfail/* > > Much to my surprise, I see all these entries (hundreds) from some 'blankety > blank blank' trying to hack my server!! > > daevid pwdfail # cat current > Sep 17 13:00:25 [sshd(pam_unix)] authentication failure; logname= uid=0 > euid=0 tty=ssh ruser= rhost=61.103.229.40 > Sep 17 13:00:27 [sshd] Failed password for invalid user webmaster from > 61.103.229.40 port 49431 ssh2 > Sep 17 13:00:29 [sshd(pam_unix)] authentication failure; logname= uid=0 > euid=0 tty=ssh ruser= rhost=61.103.229.40 > Sep 17 13:00:31 [sshd] Failed password for invalid user oracle from > 61.103.229.40 port 49556 ssh2 > Sep 17 13:00:33 [sshd(pam_unix)] authentication failure; logname= uid=0 > euid=0 tty=ssh ruser= rhost=61.103.229.40 > Sep 17 13:00:35 [sshd] Failed password for mysql from 61.103.229.40 port > 49660 ssh2 > Sep 17 13:00:37 [sshd(pam_unix)] authentication failure; logname= uid=0 > euid=0 tty=ssh ruser= rhost=61.103.229.40 user=root > Sep 17 13:00:39 [sshd] Failed password for root from 61.103.229.40 port > 49769 ssh2 > Sep 17 13:00:41 [sshd(pam_unix)] authentication failure; logname= uid=0 > euid=0 tty=ssh ruser= rhost=61.103.229.40 user=root > Sep 17 13:00:43 [sshd] Failed password for root from 61.103.229.40 port > 49879 ssh2 > > I figure there should be a script someone has written that will parse this > and automatically add these unique IP addresses (sans redundant ones) to my > /etc/shorewall/blacklist > > Google for "shorewall pwdfail" doesn't have very many results though, and > the ones there are in german or something.
Yes, I see that on all our servers. Not much more than an annoyance unless you have stupidly obvious passwords, but annoying for sure. On customer servers that don't require access from the everywhere and anywhere I just configure hosts.allow and hosts.deny to drop traffic from all but known addresses, but this is of course not an option for a webserver or whatever. There have been lots of discussions on various lists about handling these brute force ssh scripts, with various strategies for having iptables rules limit login attempts after three unsuccessful attempts, but I've seen as many "it didn't work for me" posts as "do it this way" and not being a firewall guru, I've sat on the fence so far. I think the problem with just blacklisting IPs is that the list will just grow and grow as these cretins move around all the time. Oh for a small incendiary device that could be targeted by IP address! ;-) -- best regards Brian ------------ Brian Parish Managing Director Univex Systems Pty Ltd Phone: 1300 73 64 54 -- gentoo-user@gentoo.org mailing list
