On Monday 16 July 2007 10:02:54 G T Smith wrote: > Richard Creighton wrote: > > Just about every day, often several times a day, my logs include hours > > of log entries that look like this: > > > > Jul 16 00:35:25 raid5 sshd[6966]: Invalid user admin from 83.18.244.42 > > Jul 16 00:35:30 raid5 sshd[6968]: Invalid user admin from 83.18.244.42 > > Jul 16 00:35:35 raid5 sshd[6972]: Invalid user admin from 83.18.244.42 > > Jul 16 00:35:40 raid5 sshd[6974]: Invalid user admin from 83.18.244.42 > > Jul 16 00:35:56 raid5 sshd[6981]: Invalid user test from 83.18.244.42 > > Jul 16 00:36:01 raid5 sshd[6983]: Invalid user test from 83.18.244.42 > > Jul 16 00:36:06 raid5 sshd[6985]: Invalid user webmaster from > > 83.18.244.42 Jul 16 00:36:11 raid5 sshd[6987]: Invalid user username from > > 83.18.244.42 Jul 16 00:36:16 raid5 sshd[6989]: Invalid user user from > > 83.18.244.42 Jul 16 00:36:26 raid5 sshd[6994]: Invalid user admin from > > 83.18.244.42 Jul 16 00:36:31 raid5 sshd[6996]: Invalid user test from > > 83.18.244.42 Jul 16 00:36:51 raid5 sshd[7017]: Invalid user danny from > > 83.18.244.42 Jul 16 00:36:56 raid5 sshd[7019]: Invalid user alex from > > 83.18.244.42 Jul 16 00:37:01 raid5 sshd[7022]: Invalid user brett from > > 83.18.244.42 Jul 16 00:37:06 raid5 sshd[7024]: Invalid user mike from > > 83.18.244.42 Jul 16 00:37:12 raid5 sshd[7027]: Invalid user alan from > > 83.18.244.42 Jul 16 00:37:18 raid5 sshd[7029]: Invalid user data from > > 83.18.244.42 Jul 16 00:37:22 raid5 sshd[7031]: Invalid user www-data from > > 83.18.244.42 Jul 16 00:37:28 raid5 sshd[7033]: Invalid user http from > > 83.18.244.42 Jul 16 00:37:33 raid5 sshd[7037]: Invalid user httpd from > > 83.18.244.42 Jul 16 00:37:38 raid5 sshd[7040]: Invalid user pop from > > 83.18.244.42 > > > > > > ..... and so on, ad nausium. Obviously, someone is trying to break in > > to my system via SSH. So far as I can tell from examining my logs and > > my systems (usually at least 4 other systems on my LAN are under > > simultaneous attacks from the same source(s), the daemon is > > successsfully withstanding the assault and the system is not compromised. > > > > My question is what, if any firewall rule could I write that could > > detect such attacks and automatically shut down forwarding packets from > > the offending node or domain? That would give me an additional layer > > of defense as well as freeing up a significant amount of log file space. > > > > Thanks in advance, > > Richard >
After having a similar problem I was recommended DenyHosts, swear by it now, blocks all these lamers. http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts Cheers, Matthew -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
