Paul Hartman wrote: > On Thu, Mar 19, 2009 at 10:36 AM, Johan Blåbäck > <johan.bluecr...@gmail.com> wrote: >> I've always had usernames when it comes to sshd's log entries in >> auth.log, like the following: >> >> <time> <hostname> sshd[5926]: error: PAM: Authentication failure for >> <username> from <ip-adress> > > Well, I don't use PAM, just key-based authentication only, so I always > see only the IP getting rejected since it doesn't even give them a > place to try a user/password :) It's just weird that it is refusing a > connection from u...@domain rather than simply the IP. I guess they > could be trying to ssh u...@myhost.net or something. The one with > [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=] as the username is > interesting. I wonder what that's all about. >
I too use only PubKey but they need to send a username so ssh knows where to look for the public key. Your two options boil down to 1) install fail2ban (I installed it on all of my external ssh boxes and I love it) 2) change the ssh port to something other than 22 (Security by Obscurity but it frees up your logs so you can see real problems). The two may me mutually exclusive as I'm not sure if you can tweak fail2ban's ssh rules to monitor another port. I just chock it up as log spam unless I see definite bad patterns. But again, with public key access only and banning root from logging in via ssh I don't think anybody is getting far unless there is a flaw in ssh. -- Eric Martin Key fingerprint = D1C4 086E DBB5 C18E 6FDA B215 6A25 7174 A941 3B9F
signature.asc
Description: OpenPGP digital signature
