Michael Wasser <[EMAIL PROTECTED]> wrote: > So the other day I was sifting through some of my linux server logs and > I discovered that someone has been trying to crack my server. I am > under the impression they are currently only trying to log in via ssh.
You might want to make sure your sshd was compiled to use the tcp-wrappers access mechanism. Might give you slightly finer control than a firewall rule. If the version that comes with your distro doesn't do this, it's easy to get and compile. And you can set it up to email you a message, so you don't have to wait until you stumble across it in the logs. I don't know how to check if it was compiled for tcp-wrappers other than trying out a rule and see what happens. I get ssh attacks like these every now and then. On a dialup! - Judah > Here is a sample from my logs to get an idea: > > Sep 13 13:37:44 [sshd] Invalid user admin from ::ffff:210.107.239.119 > Sep 13 13:37:46 [sshd] Invalid user test from ::ffff:210.107.239.119 > Sep 13 13:37:55 [sshd] Invalid user danny from ::ffff:210.107.239.119 > Sep 13 13:37:57 [sshd] Invalid user sharon from ::ffff:210.107.239.119 > Sep 13 13:37:59 [sshd] Invalid user aron from ::ffff:210.107.239.119 > > They seem to come in batches like that go on for a few hours every day > or so -- each time from a different IP. Doesnt seem to be very harmful > as i really doubt theyll ever hit a user/password combo that actually > works but I still dont like it. > > I was considering creating a few rules on my firewall just to block > Asian IP blocks ... but that almost seems against the very idea of the > internet. I was wondering if other people have faced similar problems > and what they have done to prevent these kind of cracks. What > alternatives to simply blocking IP ranges do I have? > > Thanks for your time, > Michael Wasser >
