Re: [gentoo-user] Re: Break In attempts
On 10/13/07, Mick <[EMAIL PROTECTED]> wrote: > > On Sunday 07 October 2007, Remy Blank wrote: > > Mick wrote: > > > I have already disabled PAM authentication on sshd so that only users > > > with a public key in their ~/.ssh can login. > > > > This is the first and most important step. This means that the only real > > problem is that your logs fill with failed log in attempts. > > > > The easiest way I have found to avoid that is to change the port number > > of the SSH daemon to something else than 22. > > I am trying out fail2ban, but I am not sure I have configured it > correctly. > Shouldn't most of these repeated attempts have been stopped? > > Oct 12 21:01:01 support sshd[30347]: Did not receive identification string > from 203.128.89.99 > Oct 13 01:01:38 support sshd[26419]: Did not receive identification string > from 85.8.136.219 > Oct 13 01:01:38 support sshd[26422]: Did not receive identification string > from 85.8.136.219 > Oct 13 01:11:14 support sshd[31765]: Invalid user admin from 85.8.136.219 > Oct 13 01:11:15 support sshd[31792]: Invalid user test from 85.8.136.219 > Oct 13 01:11:15 support sshd[31814]: Invalid user guest from 85.8.136.219 > Oct 13 01:11:16 support sshd[31833]: Invalid user webmaster from > 85.8.136.219 > Oct 13 01:11:17 support sshd[31852]: User mysql not allowed because > account is > locked > Oct 13 01:11:18 support sshd[31902]: Invalid user oracle from 85.8.136.219 > Oct 13 01:11:19 support sshd[31929]: Invalid user library from > 85.8.136.219 > Oct 13 01:11:19 support sshd[31945]: Invalid user admin from 85.8.136.219 > Oct 13 01:11:20 support sshd[31952]: Invalid user info from 85.8.136.219 > Oct 13 01:11:20 support sshd[31965]: Invalid user test from 85.8.136.219 > Oct 13 01:11:20 support sshd[31974]: Invalid user shell from 85.8.136.219 > Oct 13 01:11:21 support sshd[31999]: Invalid user guest from 85.8.136.219 > Oct 13 01:11:21 support sshd[32015]: Invalid user linux from 85.8.136.219 > Oct 13 01:11:22 support sshd[32026]: Invalid user webmaster from > 85.8.136.219 > Oct 13 01:11:22 support sshd[32036]: Invalid user unix from 85.8.136.219 > Oct 13 01:11:22 support sshd[32058]: User mysql not allowed because > account is > locked > Oct 13 01:11:23 support sshd[32080]: Invalid user oracle from 85.8.136.219 > Oct 13 01:11:24 support sshd[32109]: Invalid user library from > 85.8.136.219 > Oct 13 01:11:24 support sshd[32123]: Invalid user test from 85.8.136.219 > Oct 13 01:11:25 support sshd[32134]: Invalid user info from 85.8.136.219 > Oct 13 01:11:25 support sshd[32164]: Invalid user shell from 85.8.136.219 > Oct 13 01:11:26 support sshd[32175]: Invalid user admin from 85.8.136.219 > Oct 13 01:11:26 support sshd[32192]: Invalid user linux from 85.8.136.219 > Oct 13 01:11:27 support sshd[32200]: Invalid user guest from 85.8.136.219 > Oct 13 01:11:27 support sshd[32224]: Invalid user unix from 85.8.136.219 > > > I have just kept the default fail2ban config file and have not created any > new > log files in /var/log/. > > Any ideas? > -- > Regards, > Mick > > Do you have anything in your default log file, /var/log/fail2ban.log ? -- - Mark Shields
Re: [gentoo-user] Re: Break In attempts
On Sunday 07 October 2007, Remy Blank wrote: > Mick wrote: > > I have already disabled PAM authentication on sshd so that only users > > with a public key in their ~/.ssh can login. > > This is the first and most important step. This means that the only real > problem is that your logs fill with failed log in attempts. > > The easiest way I have found to avoid that is to change the port number > of the SSH daemon to something else than 22. I am trying out fail2ban, but I am not sure I have configured it correctly. Shouldn't most of these repeated attempts have been stopped? Oct 12 21:01:01 support sshd[30347]: Did not receive identification string from 203.128.89.99 Oct 13 01:01:38 support sshd[26419]: Did not receive identification string from 85.8.136.219 Oct 13 01:01:38 support sshd[26422]: Did not receive identification string from 85.8.136.219 Oct 13 01:11:14 support sshd[31765]: Invalid user admin from 85.8.136.219 Oct 13 01:11:15 support sshd[31792]: Invalid user test from 85.8.136.219 Oct 13 01:11:15 support sshd[31814]: Invalid user guest from 85.8.136.219 Oct 13 01:11:16 support sshd[31833]: Invalid user webmaster from 85.8.136.219 Oct 13 01:11:17 support sshd[31852]: User mysql not allowed because account is locked Oct 13 01:11:18 support sshd[31902]: Invalid user oracle from 85.8.136.219 Oct 13 01:11:19 support sshd[31929]: Invalid user library from 85.8.136.219 Oct 13 01:11:19 support sshd[31945]: Invalid user admin from 85.8.136.219 Oct 13 01:11:20 support sshd[31952]: Invalid user info from 85.8.136.219 Oct 13 01:11:20 support sshd[31965]: Invalid user test from 85.8.136.219 Oct 13 01:11:20 support sshd[31974]: Invalid user shell from 85.8.136.219 Oct 13 01:11:21 support sshd[31999]: Invalid user guest from 85.8.136.219 Oct 13 01:11:21 support sshd[32015]: Invalid user linux from 85.8.136.219 Oct 13 01:11:22 support sshd[32026]: Invalid user webmaster from 85.8.136.219 Oct 13 01:11:22 support sshd[32036]: Invalid user unix from 85.8.136.219 Oct 13 01:11:22 support sshd[32058]: User mysql not allowed because account is locked Oct 13 01:11:23 support sshd[32080]: Invalid user oracle from 85.8.136.219 Oct 13 01:11:24 support sshd[32109]: Invalid user library from 85.8.136.219 Oct 13 01:11:24 support sshd[32123]: Invalid user test from 85.8.136.219 Oct 13 01:11:25 support sshd[32134]: Invalid user info from 85.8.136.219 Oct 13 01:11:25 support sshd[32164]: Invalid user shell from 85.8.136.219 Oct 13 01:11:26 support sshd[32175]: Invalid user admin from 85.8.136.219 Oct 13 01:11:26 support sshd[32192]: Invalid user linux from 85.8.136.219 Oct 13 01:11:27 support sshd[32200]: Invalid user guest from 85.8.136.219 Oct 13 01:11:27 support sshd[32224]: Invalid user unix from 85.8.136.219 I have just kept the default fail2ban config file and have not created any new log files in /var/log/. Any ideas? -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Re: Break In attempts
http://www.google.com/search?hl=en&q=howto+secure+ssh&btnG=Google+Search
Re: [gentoo-user] Re: Break In attempts
On Sunday 07 October 2007, Remy Blank wrote: > Mick wrote: > > I have already disabled PAM authentication on sshd so that only users > > with a public key in their ~/.ssh can login. > > This is the first and most important step. This means that the only real > problem is that your logs fill with failed log in attempts. > > The easiest way I have found to avoid that is to change the port number > of the SSH daemon to something else than 22. That's right, my standard practice for this sort of problem is to disable root & passwd authentication in favour of public key and then move the ssh port away from the bots. The problem is that on this occasion, this is not my server. I'll have a word with the owner and see what he thinks. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
[gentoo-user] Re: Break In attempts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mick wrote: > I have already disabled PAM authentication on sshd so that only users with a > public key in their ~/.ssh can login. This is the first and most important step. This means that the only real problem is that your logs fill with failed log in attempts. The easiest way I have found to avoid that is to change the port number of the SSH daemon to something else than 22. - -- Remy -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHCSKRCeNfIyhvXjIRAgiBAKCNqpLd1XzZWcEm74DVbZyL9CpmCgCgmN5X FJWRjHgHrwHlv9vYT8jz5tM= =njTK -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list