On Fri, Mar 20, 2009 at 7:25 AM, Eric Martin <freak4u...@gmail.com> wrote: > Paul Hartman wrote: >> On Thu, Mar 19, 2009 at 10:36 AM, Johan Blåbäck >> <johan.bluecr...@gmail.com> wrote: >>> I've always had usernames when it comes to sshd's log entries in >>> auth.log, like the following: >>> >>> <time> <hostname> sshd[5926]: error: PAM: Authentication failure for >>> <username> from <ip-adress> >> >> Well, I don't use PAM, just key-based authentication only, so I always >> see only the IP getting rejected since it doesn't even give them a >> place to try a user/password :) It's just weird that it is refusing a >> connection from u...@domain rather than simply the IP. I guess they >> could be trying to ssh u...@myhost.net or something. The one with >> [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=] as the username is >> interesting. I wonder what that's all about. >> > > I too use only PubKey but they need to send a username so ssh knows > where to look for the public key. Your two options boil down to > > 1) install fail2ban (I installed it on all of my external ssh boxes and > I love it) > 2) change the ssh port to something other than 22 (Security by Obscurity > but it frees up your logs so you can see real problems). > > The two may me mutually exclusive as I'm not sure if you can tweak > fail2ban's ssh rules to monitor another port. > > I just chock it up as log spam unless I see definite bad patterns. But > again, with public key access only and banning root from logging in via > ssh I don't think anybody is getting far unless there is a flaw in ssh.
Oh, I am not concerned about the attacks. I just thought it was weird that I saw u...@domain when I normally see only IP or only domain. They are already refused connection as the log shows :) Thanks, Paul
