On 03/08/07, Ravid Baruch Naali <[EMAIL PROTECTED]> wrote: > > Hi List, > > Does any one else get this frequently? > Some kind of automated program trying to log into my sshd, each time from > a different IP address. off course (I hope) all of the users are invalid. > > Did any of you noticed it? and if so what are your solutions? >
I saw reports about increased sshd probes during this week on an Australian LUG mailing lists too. Apparently there is a wave of these going on world wide. Possible ways to handle: 1. Change port as others suggested - works great for me. 2. Make sure you can only authenticate using public/private keys. 3. Install "denyhosts", which adds attacking IP's to /etc/hosts.deny based on the sshd logs, also can synchronize info with other attacked hosts. 4. Use iptables to limit number of attempts from each IP. 5. Use iptables to slow down connections from attackers (target "TARPIT"). 6. Install a honeypot and send the results to central sites which collect such info. That's all folks, --Amos
