If you're only expecting users from certain IP ranges (say, your home IP and UMD labs), blocking all other IP ranges might not be a bad idea. If you want this to be some kind of public server, however, I agree that blocking IP ranges probably isn't the way to go- today it's Asia, tomorrow it's Europe... This is what strong passwords are for.
-Derek Juba > So the other day I was sifting through some of my linux server logs and > I discovered that someone has been trying to crack my server. I am > under the impression they are currently only trying to log in via ssh. > Here is a sample from my logs to get an idea: > > Sep 13 13:37:44 [sshd] Invalid user admin from ::ffff:210.107.239.119 > Sep 13 13:37:46 [sshd] Invalid user test from ::ffff:210.107.239.119 > Sep 13 13:37:55 [sshd] Invalid user danny from ::ffff:210.107.239.119 > Sep 13 13:37:57 [sshd] Invalid user sharon from ::ffff:210.107.239.119 > Sep 13 13:37:59 [sshd] Invalid user aron from ::ffff:210.107.239.119 > > They seem to come in batches like that go on for a few hours every day > or so -- each time from a different IP. Doesnt seem to be very harmful > as i really doubt theyll ever hit a user/password combo that actually > works but I still dont like it. > > I was considering creating a few rules on my firewall just to block > Asian IP blocks ... but that almost seems against the very idea of the > internet. I was wondering if other people have faced similar problems > and what they have done to prevent these kind of cracks. What > alternatives to simply blocking IP ranges do I have? > > Thanks for your time, > Michael Wasser >
