Fail2ban scans log files and bans IP addresses that make too many password failures. It updates firewall rules to reject the IP address.
See: http://www.fail2ban.org/wiki/index.php/Main_Page Aaron -----Original Message----- From: Boaz Rymland [mailto:b...@rymland.com] Sent: Sunday, January 03, 2010 5:09 PM To: linux-il Subject: Re: What to do with a constant flow of attempts to login to mycompuet? To add my list: * verify there are as least as possible users on the machine. Unused user? either purge or disable (login shell set to /bin/false or the like; home dir set to /not/here). * verify users on machine not have easy to guess password. * indeed move sshd to listen to its NON default port * shutdown and remove any unneeded software/services including and specifically any web applications that are not used. * keep your installed applications updated and keep an eye on software updates. I once had an unsuccessful break-in attempt that was trying to exploit some bug in a webmail application that was not used. The bug was two weeks old at the time. Both of the break in cases I described were of my 24/7 home machine I had running for years (but not anymore), not some high traffic IP address so this is rather common these days. Boaz. On Sun, 03 Jan 2010 09:51:05 -0500, Boaz Rymland <b...@rymland.com> wrote: > This is so common these days I heard years ago people filtering out such > messages. > > Just check your machine carefully - I once had a break-in that was caused > from a stupid chain of mistakes: i switched sshd to listen on its default > port (22) for some time (instead of some arbitrary port as it was used to > be) + router forwarded 22 connections to the linux machine (as needed for > SSH to work) + yes, there was a little issue of a test user I once created, > named "test" with password "test"... . Violla! a robot sounded the "bingo!" > alarm somewhere... . I had to reinstall my machine (which wasn't that bad, > but still...). > > Lesson? carefully check your machine's "entry points" and as much as you > can - try not to assume things to be in certain status before checking that > (like, "I don't have stupid test users on machines" - check your configured > users) as that can fail you. In other words - don't presume anything. Check > it, to evaluate your status. > > Boaz. > > On Sun, 3 Jan 2010 16:34:29 +0200, Gabor Szabo <szab...@gmail.com> wrote: >> I just noticed someone bombarding my machine trying to login via ssh. >>>From auth.log >> >> Jan 3 06:31:48 s6 sshd[22774]: Failed password for invalid user >> amavisd from 202.138.142.216 port 35172 ssh2 >> Jan 3 06:31:48 s6 sshd[22773]: Failed password for invalid user >> clamav from 202.138.142.216 port 39941 ssh2 >> Jan 3 06:31:49 s6 sshd[22780]: Invalid user clamav from 202.138.142.216 >> Jan 3 06:31:49 s6 sshd[22780]: pam_unix(sshd:auth): check pass; user >> unknown >> Jan 3 06:31:49 s6 sshd[22780]: pam_unix(sshd:auth): authentication >> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.138.142.216 >> Jan 3 06:31:49 s6 sshd[22781]: Invalid user appserver from > 202.138.142.216 >> Jan 3 06:31:49 s6 sshd[22781]: pam_unix(sshd:auth): check pass; user >> unknown >> Jan 3 06:31:49 s6 sshd[22781]: pam_unix(sshd:auth): authentication >> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.138.142.216 >> Jan 3 06:31:52 s6 sshd[22780]: Failed password for invalid user >> clamav from 202.138.142.216 port 35699 ssh2 >> Jan 3 06:31:52 s6 sshd[22781]: Failed password for invalid user >> appserver from 202.138.142.216 port 40470 ssh2 >> >> >> So what is your suggestion. What to do with it? >> >> Gabor >> >> _______________________________________________ >> Linux-il mailing list >> Linux-il@cs.huji.ac.il >> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > > _______________________________________________ > Linux-il mailing list > Linux-il@cs.huji.ac.il > http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il _______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il _______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il