The first thing I'd do is to reboot your router... get a new IP address! Then I'd take Jim's recommendations about ssh ( openssh version 4 is now freely available if your distro doesn't offer it yet, btw ), although I still like using passwords. Creating a couple of users with random passwords
However, I wouldn't implement any IP address barring strategy, as it makes you look like you've got something to hide, which will make them try harder. There's even a case for having a dmz running on port 22, and let them play, find there's nothing of use, and give up. If you reboot your router on a regular basis ( we have power problems in DH, and I'm tempted to leave it off the UPS so I don't have to remember this ), then the problem gets more random ( ie they can't make a concerted attack ), which is probably the safest way. The last suggestion I could make is to drop ssh altogether ( or just let it answer but never succeed to log in ), and implement an openvpn solution instead. These suggestions do assume perfect software implementations, so there is some element of risk in taunting them! $0.02, Steve On Fri, January 13, 2006 11:38 am, Phill Coxon wrote: > I just jumped into the command line and noticed kernel messages for > failed ssh2 login attempts for bogus users. > > Checking my logs it turns out that someone has been trying to hack into > my ADSL connected computer since the 9th with a brute force script > trying different usernames and passwords. > > I've blocked ssh access for the moment. > > Questions: > > (1) Is there some desktop monitoring utility that will immediately > notify me of suscpious behaviour? I'm rather disturbed that it's taken > me 4 days to notice this. > > (2) Recommendations for log parsing software that monitors suspicious > logs? > > (3) Recommended strategies for dealing with break in attempts like this? > Ban the IPs for a while? > > Thanks! > > > > > -- Work like you don't need the money, Love like your heart has never been broken and Dance like no one can see you.
