Thats a good idea, but I have several other users that use the system
along with many temporary users that I grant login permission to for a
few days. Having to explain that ssh is on a different port to every
person i need to grant access to would probably create more confusion
than is worth it.
Thanks for the response,
Michael
Daniel Meekins wrote:
I had that same problem, and even though I doubted they would get in,
it was annoying. What I did was just change the ssh port to listen on
some other port I chose that isn't very common so the people running
those scripts wouldn't see that I have ssh running. Since then through
the logs I haven't seen any attempts by those scripts. It isn't as
convenient since when ssh-ing from somehwere I have to specify the
port, but to me it's worth it.
Danny
Michael Wasser wrote:
So the other day I was sifting through some of my linux server logs
and I discovered that someone has been trying to crack my server. I
am under the impression they are currently only trying to log in via
ssh. Here is a sample from my logs to get an idea:
Sep 13 13:37:44 [sshd] Invalid user admin from ::ffff:210.107.239.119
Sep 13 13:37:46 [sshd] Invalid user test from ::ffff:210.107.239.119
Sep 13 13:37:55 [sshd] Invalid user danny from ::ffff:210.107.239.119
Sep 13 13:37:57 [sshd] Invalid user sharon from ::ffff:210.107.239.119
Sep 13 13:37:59 [sshd] Invalid user aron from ::ffff:210.107.239.119
They seem to come in batches like that go on for a few hours every
day or so -- each time from a different IP. Doesnt seem to be very
harmful as i really doubt theyll ever hit a user/password combo that
actually works but I still dont like it.
I was considering creating a few rules on my firewall just to block
Asian IP blocks ... but that almost seems against the very idea of
the internet. I was wondering if other people have faced similar
problems and what they have done to prevent these kind of cracks.
What alternatives to simply blocking IP ranges do I have?
Thanks for your time,
Michael Wasser
