On Sunday 03 January 2010, Gabor Szabo wrote:
I just noticed someone bombarding my machine trying to login via ssh.
From auth.log
Jan 3 06:31:48 s6 sshd[22774]: Failed password for invalid user
amavisd from 202.138.142.216 port 35172 ssh2
In addition to moving away from port 22, you can
I just noticed someone bombarding my machine trying to login via ssh.
From auth.log
Jan 3 06:31:48 s6 sshd[22774]: Failed password for invalid user
amavisd from 202.138.142.216 port 35172 ssh2
Jan 3 06:31:48 s6 sshd[22773]: Failed password for invalid user
clamav from 202.138.142.216 port 39941
Hi Gabor,
Moving sshd off port 22 to any non-standard port worked fine for me. Most
attacks are too lazy to do a full portscan, so if they don't find the
default port open, they just move to the next host. Of course, this is
assuming that the attack chose you at random. If it's a targeted
This is so common these days I heard years ago people filtering out such
messages.
Just check your machine carefully - I once had a break-in that was caused
from a stupid chain of mistakes: i switched sshd to listen on its default
port (22) for some time (instead of some arbitrary port as it was
Few suggestions:
1. after 3 unsuccesful logins knock the user out (no matter who is the
user).
2. ban the ip in iptables. you can see it's the same ip all the time. this
ip is from the Philippines
http://www.dnsstuff.com/tools/ipall/?tool_id=67token=toolhandler_redirect=0ip=202.138.142.216
3.
To add my list:
* verify there are as least as possible users on the machine. Unused user?
either purge or disable (login shell set to /bin/false or the like; home
dir set to /not/here).
* verify users on machine not have easy to guess password.
* indeed move sshd to listen to its NON default
Hi,
simple answer: apt-get install denyhosts
Then setup the config file according to your needs and run this daemon. When
someone will pass the threshold, it will be added to /etc/hosts.deny and
will be blocked.
You might want to complain about the abuser to this IP holder (Digitel