I am reading many hundred lines similar to below mentioned?Could you please advise me what to do and how can I make my box more secure? Jan 9 17:54:42 localhost sshd: reverse mapping checking getaddrinfo for bbs-83-179.189.218.on-nets.com [220.127.116.11] failed - POSSIBLE BREAK-IN ATTEMPT! Jan 9 17:54:42 localhost sshd: Invalid user sysadmin from 18.104.22.168
Please, this is possibly the most frequently asked question not in the FAQ. Understand that whenever you make a service available on the internet, someone is going to try to break in. Be it ssh, smtp, dns, http etc. What you need to learn is to identify which attacks constitute a real threat to your system.
The first log entry is no sign of break in attempt. Just because a DNS server is misconfigured doesn't mean that people are trying to attack you.
The second line is evidence that some illicit events are recorded. But, there is no reason to worry about these if you have properly configured your box. Please search the archives for ssh brute force - this topic has been discussed a zillion times.
Some mention port knocking. This doesn't make people stop trying to get into your box. It introduces an extra hazle to do so as you first have to knock on the port a secret (but shared secret) sequence. Then you will authenticate as previously.
If you are troubled with messages in your log, there are plenty of ordinary things you can do:
- enforce key authentication - restrict access to certain users or groups of users - deny direct access as root - enforce strong passwords, if you can't enforce key authentication - limit the ip address space that is allowed to connect, to the space where you or your users are likely to be - limit the number of simultaneous unauthenticated connections Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org
Description: S/MIME Cryptographic Signature