I had that same problem, and even though I doubted they would get in, it
was annoying. What I did was just change the ssh port to listen on some
other port I chose that isn't very common so the people running those
scripts wouldn't see that I have ssh running. Since then through the
logs I haven't seen any attempts by those scripts. It isn't as
convenient since when ssh-ing from somehwere I have to specify the port,
but to me it's worth it.
Danny
Michael Wasser wrote:
So the other day I was sifting through some of my linux server logs
and I discovered that someone has been trying to crack my server. I
am under the impression they are currently only trying to log in via
ssh. Here is a sample from my logs to get an idea:
Sep 13 13:37:44 [sshd] Invalid user admin from ::ffff:210.107.239.119
Sep 13 13:37:46 [sshd] Invalid user test from ::ffff:210.107.239.119
Sep 13 13:37:55 [sshd] Invalid user danny from ::ffff:210.107.239.119
Sep 13 13:37:57 [sshd] Invalid user sharon from ::ffff:210.107.239.119
Sep 13 13:37:59 [sshd] Invalid user aron from ::ffff:210.107.239.119
They seem to come in batches like that go on for a few hours every day
or so -- each time from a different IP. Doesnt seem to be very
harmful as i really doubt theyll ever hit a user/password combo that
actually works but I still dont like it.
I was considering creating a few rules on my firewall just to block
Asian IP blocks ... but that almost seems against the very idea of the
internet. I was wondering if other people have faced similar problems
and what they have done to prevent these kind of cracks. What
alternatives to simply blocking IP ranges do I have?
Thanks for your time,
Michael Wasser
