So the other day I was sifting through some of my linux server logs and
I discovered that someone has been trying to crack my server. I am
under the impression they are currently only trying to log in via ssh.
Here is a sample from my logs to get an idea:
Sep 13 13:37:44 [sshd] Invalid user admin from ::ffff:210.107.239.119
Sep 13 13:37:46 [sshd] Invalid user test from ::ffff:210.107.239.119
Sep 13 13:37:55 [sshd] Invalid user danny from ::ffff:210.107.239.119
Sep 13 13:37:57 [sshd] Invalid user sharon from ::ffff:210.107.239.119
Sep 13 13:37:59 [sshd] Invalid user aron from ::ffff:210.107.239.119
They seem to come in batches like that go on for a few hours every day
or so -- each time from a different IP. Doesnt seem to be very harmful
as i really doubt theyll ever hit a user/password combo that actually
works but I still dont like it.
I was considering creating a few rules on my firewall just to block
Asian IP blocks ... but that almost seems against the very idea of the
internet. I was wondering if other people have faced similar problems
and what they have done to prevent these kind of cracks. What
alternatives to simply blocking IP ranges do I have?
Thanks for your time,
Michael Wasser
