Very simple effective fix if you have iptables: iptables -A INPUT -p tcp --dport 22 -s your_subnet/21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j LOG --log-prefix 'SSH attack: ' iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP Replace your subnet with the IP pool you never want to block. After its working do 'service iptables save' to save it. This stopped all problems like this for me. Matt > Spotted this a few minutes ago on one of our back-end servers. Didn't work, but worth noting. > > Tom S. > > May 2 01:05:12 QORVUS1 sshd[21728]: Illegal user lieu from 213.165.154.53 > May 2 01:05:13 QORVUS1 sshd[21730]: Illegal user lilly from 213.165.154.53 > May 2 01:05:15 QORVUS1 sshd[21739]: Illegal user linda from 213.165.154.53 > May 2 01:05:17 QORVUS1 sshd[21751]: Illegal user ling from 213.165.154.53 > May 2 01:05:18 QORVUS1 sshd[21754]: Illegal user lionel from 213.165.154.53 > May 2 01:05:20 QORVUS1 sshd[21761]: Illegal user lis from 213.165.154.53 > May 2 01:05:22 QORVUS1 sshd[21763]: Illegal user lisa from 213.165.154.53 > May 2 01:05:22 QORVUS1 kernel: multicast > May 2 01:05:23 QORVUS1 sshd[21765]: Illegal user liv from 213.165.154.53 > May 2 01:05:25 QORVUS1 sshd[21768]: Illegal user liz from 213.165.154.53 > May 2 01:05:26 QORVUS1 sshd[21806]: Illegal user liza from 213.165.154.53 > May 2 01:05:28 QORVUS1 sshd[21808]: Illegal user loan from 213.165.154.53 > May 2 01:05:30 QORVUS1 sshd[21810]: Illegal user logan from 213.165.154.53 > May 2 01:05:31 QORVUS1 sshd[21812]: Illegal user lois from 213.165.154.53 > May 2 01:05:33 QORVUS1 sshd[21814]: Illegal user lok from 213.165.154.53 > May 2 01:05:35 QORVUS1 sshd[21817]: Illegal user loki from 213.165.154.53 > May 2 01:05:37 QORVUS1 sshd[21819]: Illegal user lola from 213.165.154.53 > May 2 01:05:38 QORVUS1 sshd[21821]: Illegal user long from 213.165.154.53 > May 2 01:05:40 QORVUS1 sshd[21823]: Illegal user lorena from 213.165.154.53 > May 2 01:05:42 QORVUS1 sshd[21825]: Illegal user lorene from 213.165.154.53 > May 2 01:05:43 QORVUS1 sshd[21827]: Illegal user lorenzo from 213.165.154.53 > May 2 01:05:45 QORVUS1 sshd[21830]: Illegal user lorna from 213.165.154.53 > May 2 01:05:46 QORVUS1 sshd[21868]: Illegal user lotus from 213.165.154.53 > May 2 01:05:48 QORVUS1 sshd[21870]: Illegal user lou from 213.165.154.53 > May 2 01:05:50 QORVUS1 sshd[21881]: Illegal user louis from 213.165.154.53 > May 2 01:05:51 QORVUS1 sshd[21888]: Illegal user luca from 213.165.154.53 > May 2 01:05:53 QORVUS1 sshd[21891]: Illegal user lucas from 213.165.154.53 > May 2 01:05:55 QORVUS1 sshd[21906]: Illegal user lucian from 213.165.154.53 > May 2 01:05:56 QORVUS1 sshd[21912]: Illegal user lucky from 213.165.154.53 > May 2 01:05:58 QORVUS1 sshd[21917]: Illegal user lucy from 213.165.154.53 > May 2 01:05:59 QORVUS1 sshd[21921]: Illegal user ludwig from 213.165.154.53 > May 2 01:06:01 QORVUS1 sshd[21923]: Illegal user luigi from 213.165.154.53 > May 2 01:06:03 QORVUS1 sshd[22065]: Illegal user luis from 213.165.154.53 > May 2 01:06:04 QORVUS1 sshd[22069]: Illegal user luke from 213.165.154.53 > May 2 01:06:06 QORVUS1 sshd[22089]: Illegal user luna from 213.165.154.53 > May 2 01:06:07 QORVUS1 sshd[22110]: Illegal user lupe from 213.165.154.53 > May 2 01:06:09 QORVUS1 sshd[22112]: Illegal user luther from 213.165.154.53 > May 2 01:06:11 QORVUS1 sshd[22114]: Illegal user luz from 213.165.154.53 > May 2 01:06:12 QORVUS1 sshd[22116]: Illegal user ly from 213.165.154.53 > May 2 01:06:14 QORVUS1 sshd[22118]: Illegal user lyn from 213.165.154.53 > May 2 01:06:15 QORVUS1 sshd[22121]: Illegal user lynda from 213.165.154.53 > May 2 01:06:17 QORVUS1 sshd[22123]: Illegal user lynn from 213.165.154.53 > May 2 01:06:19 QORVUS1 sshd[22125]: Illegal user lysa from 213.165.154.53 > May 2 01:06:20 QORVUS1 sshd[22127]: Illegal user mac from 213.165.154.53 > May 2 01:06:22 QORVUS1 kernel: multicast > May 2 01:06:22 QORVUS1 sshd[22129]: Illegal user macy from 213.165.154.53 > May 2 01:06:24 QORVUS1 sshd[22131]: Illegal user mae from 213.165.154.53 > May 2 01:06:25 QORVUS1 sshd[22134]: Illegal user pwla from 213.165.154.53 > May 2 01:06:27 QORVUS1 sshd[22172]: Illegal user mama from 213.165.154.53 > May 2 01:06:28 QORVUS1 sshd[22181]: Illegal user maeko from 213.165.154.53 > May 2 01:06:30 QORVUS1 sshd[22190]: Illegal user magda from 213.165.154.53 > May 2 01:06:32 QORVUS1 sshd[22192]: Illegal user maggie from 213.165.154.53 > May 2 01:06:33 QORVUS1 sshd[22204]: Illegal user mai from 213.165.154.53 > May 2 01:06:35 QORVUS1 sshd[22214]: Illegal user maia from 213.165.154.53 > May 2 01:06:36 QORVUS1 sshd[22220]: Illegal user makoto from 213.165.154.53 > May 2 01:06:38 QORVUS1 sshd[22223]: Illegal user mallory from 213.165.154.53 > May 2 01:06:40 QORVUS1 sshd[22225]: Illegal user mandy from 213.165.154.53 > May 2 01:06:41 QORVUS1 sshd[22227]: Illegal user marc from 213.165.154.53 > May 2 01:06:43 QORVUS1 sshd[22229]: Illegal user marcel from 213.165.154.53 > May 2 01:06:44 QORVUS1 sshd[22232]: Illegal user marco from 213.165.154.53 > May 2 01:06:46 QORVUS1 sshd[22235]: Illegal user marcus from 213.165.154.53 > May 2 01:06:48 QORVUS1 sshd[22272]: Illegal user margot from 213.165.154.53 > May 2 01:06:49 QORVUS1 sshd[22274]: Illegal user mari from 213.165.154.53 > May 2 01:06:51 QORVUS1 sshd[22276]: Illegal user maria from 213.165.154.53 > May 2 01:06:53 QORVUS1 sshd[22278]: Illegal user mariah from 213.165.154.53 > May 2 01:06:54 QORVUS1 sshd[22280]: Illegal user marie from 213.165.154.53 > May 2 01:06:56 QORVUS1 sshd[22283]: Illegal user mariko from 213.165.154.53 > May 2 01:06:57 QORVUS1 sshd[22285]: Illegal user marilyn from 213.165.154.53 > May 2 01:06:59 QORVUS1 sshd[22287]: Illegal user marina from 213.165.154.53 > May 2 01:07:01 QORVUS1 sshd[22289]: Illegal user mario from 213.165.154.53 > May 2 01:07:02 QORVUS1 sshd[22317]: Illegal user marisa from 213.165.154.53 > May 2 01:07:04 QORVUS1 sshd[22474]: Illegal user mark from 213.165.154.53 > May 2 01:07:05 QORVUS1 sshd[22477]: Illegal user marka from 213.165.154.53 > May 2 01:07:07 QORVUS1 sshd[22503]: Illegal user marta from 213.165.154.53 > May 2 01:07:09 QORVUS1 sshd[22531]: Illegal user martin from 213.165.154.53 > May 2 01:07:10 QORVUS1 sshd[22533]: Illegal user mary from 213.165.154.53 > May 2 01:07:12 QORVUS1 sshd[22542]: Illegal user masako from 213.165.154.53 > May 2 01:07:13 QORVUS1 sshd[22554]: Illegal user mason from 213.165.154.53 > May 2 01:07:15 QORVUS1 sshd[22557]: Illegal user mateo from 213.165.154.53 > May 2 01:07:17 QORVUS1 sshd[22564]: Illegal user matias from 213.165.154.53 > May 2 01:07:18 QORVUS1 sshd[22566]: Illegal user matt from 213.165.154.53 > May 2 01:07:20 QORVUS1 sshd[22568]: Illegal user matteo from 213.165.154.53 > May 2 01:07:22 QORVUS1 sshd[22570]: Illegal user mauro from 213.165.154.53 > May 2 01:07:22 QORVUS1 kernel: multicast > May 2 01:07:23 QORVUS1 sshd[22572]: Illegal user max from 213.165.154.53 > May 2 01:07:25 QORVUS1 sshd[22575]: Illegal user maxim from 213.165.154.53 > May 2 01:07:26 QORVUS1 sshd[22578]: Illegal user maxima from 213.165.154.53 > May 2 01:07:28 QORVUS1 sshd[22615]: Illegal user maya from 213.165.154.53 > May 2 01:07:30 QORVUS1 sshd[22617]: Illegal user meg from 213.165.154.53 > May 2 01:07:31 QORVUS1 sshd[22619]: Illegal user megan from 213.165.154.53 > May 2 01:07:33 QORVUS1 sshd[22621]: Illegal user megara from 213.165.154.53 > May 2 01:07:34 QORVUS1 sshd[22624]: Illegal user mel from 213.165.154.53 > May 2 01:07:36 QORVUS1 sshd[22626]: Illegal user melissa from 213.165.154.53 > May 2 01:07:38 QORVUS1 sshd[22628]: Illegal user michael from 213.165.154.53 > May 2 01:07:39 QORVUS1 sshd[22630]: Illegal user michel from 213.165.154.53 > May 2 01:07:41 QORVUS1 sshd[22632]: Illegal user mick from 213.165.154.53 > May 2 01:07:43 QORVUS1 sshd[22634]: Illegal user mickey from 213.165.154.53 > May 2 01:07:45 QORVUS1 sshd[22637]: Illegal user mike from 213.165.154.53 > May 2 01:07:46 QORVUS1 sshd[22649]: Illegal user mikel from 213.165.154.53 > May 2 01:07:48 QORVUS1 sshd[22674]: Illegal user miki from 213.165.154.53 > May 2 01:07:49 QORVUS1 sshd[22693]: Illegal user milo from 213.165.154.53 > May 2 01:07:51 QORVUS1 sshd[22695]: Illegal user mindy from 213.165.154.53 > May 2 01:07:53 QORVUS1 sshd[22706]: Illegal user missy from 213.165.154.53 > May 2 01:07:54 QORVUS1 sshd[22716]: Illegal user mistico from 213.165.154.53 > May 2 01:07:56 QORVUS1 sshd[22719]: Illegal user mo from 213.165.154.53 > May 2 01:07:58 QORVUS1 sshd[22726]: Illegal user mona from 213.165.154.53 > May 2 01:07:59 QORVUS1 sshd[22728]: Illegal user monet from 213.165.154.53 > May 2 01:08:01 QORVUS1 sshd[22730]: Illegal user monica from 213.165.154.53 > May 2 01:08:02 QORVUS1 sshd[22795]: Illegal user monique from 213.165.154.53 > May 2 01:08:04 QORVUS1 sshd[22980]: Illegal user morse from 213.165.154.53 > May 2 01:08:06 QORVUS1 sshd[22983]: Illegal user mort from 213.165.154.53 > May 2 01:08:07 QORVUS1 sshd[22986]: Illegal user moss from 213.165.154.53 > May 2 01:08:09 QORVUS1 sshd[23024]: Illegal user murphy from 213.165.154.53 > May 2 01:08:10 QORVUS1 sshd[23026]: Illegal user nadia from 213.165.154.53 > May 2 01:08:12 QORVUS1 sshd[23028]: Illegal user nadie from 213.165.154.53 > May 2 01:08:14 QORVUS1 sshd[23030]: Illegal user nadine from 213.165.154.53 > May 2 01:08:15 QORVUS1 sshd[23033]: Illegal user naif from 213.165.154.53 > May 2 01:08:17 QORVUS1 sshd[23035]: Illegal user nan from 213.165.154.53 > May 2 01:08:19 QORVUS1 sshd[23037]: Illegal user nancy from 213.165.154.53 > May 2 01:08:20 QORVUS1 sshd[23039]: Illegal user nash from 213.165.154.53 > May 2 01:08:22 QORVUS1 sshd[23041]: Illegal user nat from 213.165.154.53 > May 2 01:08:22 QORVUS1 kernel: multicast > May 2 01:08:23 QORVUS1 sshd[23043]: Illegal user natalia from 213.165.154.53 > May 2 01:08:25 QORVUS1 sshd[23046]: Illegal user natalie from 213.165.154.53 > May 2 01:08:27 QORVUS1 sshd[23049]: Illegal user nathan from 213.165.154.53 > May 2 01:08:28 QORVUS1 sshd[23064]: Illegal user nathalie from 213.165.154.53 > May 2 01:08:30 QORVUS1 sshd[23102]: Illegal user natsu from 213.165.154.53 > May 2 01:08:31 QORVUS1 sshd[23111]: Illegal user neil from 213.165.154.53 > May 2 01:08:33 QORVUS1 sshd[23123]: Illegal user nelly from 213.165.154.53 > May 2 01:08:35 QORVUS1 sshd[23126]: Illegal user nelson from 213.165.154.53 > May 2 01:08:36 QORVUS1 sshd[23133]: Illegal user nen from 213.165.154.53 > May 2 01:08:38 QORVUS1 sshd[23135]: Illegal user neo from 213.165.154.53 > May 2 01:08:39 QORVUS1 sshd[23137]: Illegal user nero from 213.165.154.53 > May 2 01:08:41 QORVUS1 sshd[23139]: Illegal user nestor from 213.165.154.53 > May 2 01:08:43 QORVUS1 sshd[23141]: Illegal user nhi from 213.165.154.53 > May 2 01:08:44 QORVUS1 sshd[23143]: Illegal user nhu from 213.165.154.53 > May 2 01:08:46 QORVUS1 sshd[23147]: Illegal user nicholai from 213.165.154.53 > May 2 01:08:47 QORVUS1 sshd[23149]: Illegal user nicholas from 213.165.154.53 > May 2 01:08:49 QORVUS1 sshd[23173]: Illegal user nick from 213.165.154.53 > May 2 01:08:51 QORVUS1 sshd[23188]: Illegal user nicki from 213.165.154.53 > May 2 01:08:52 QORVUS1 sshd[23190]: Illegal user nico from 213.165.154.53 > May 2 01:08:54 QORVUS1 sshd[23192]: Illegal user nicolas from 213.165.154.53 > May 2 01:08:56 QORVUS1 sshd[23195]: Illegal user nikolas from 213.165.154.53 > May 2 01:08:57 QORVUS1 sshd[23197]: Illegal user nicole from 213.165.154.53 > May 2 01:08:59 QORVUS1 sshd[23199]: Illegal user nigel from 213.165.154.53 > May 2 01:09:00 QORVUS1 sshd[23201]: Illegal user nike from 213.165.154.53 > May 2 01:09:02 QORVUS1 sshd[23203]: Illegal user nikita from 213.165.154.53 > May 2 01:09:04 QORVUS1 sshd[23337]: Illegal user nikkos from 213.165.154.53 > May 2 01:09:05 QORVUS1 sshd[23340]: Illegal user nina from 213.165.154.53 > May 2 01:09:07 QORVUS1 sshd[23353]: Illegal user noel from 213.165.154.53 > May 2 01:09:08 QORVUS1 sshd[23359]: Illegal user nori from 213.165.154.53 > May 2 01:09:10 QORVUS1 sshd[23401]: Illegal user norm from 213.165.154.53 > May 2 01:09:12 QORVUS1 sshd[23414]: Illegal user norma from 213.165.154.53 > May 2 01:09:13 QORVUS1 sshd[23417]: Illegal user norman from 213.165.154.53 > May 2 01:09:15 QORVUS1 sshd[23425]: Illegal user norris from 213.165.154.53 > May 2 01:09:17 QORVUS1 sshd[23427]: Illegal user norton from 213.165.154.53 > May 2 01:09:18 QORVUS1 sshd[23429]: Illegal user nox from 213.165.154.53 > May 2 01:09:20 QORVUS1 sshd[23431]: Illegal user nu from 213.165.154.53 > May 2 01:09:21 QORVUS1 sshd[23433]: Illegal user nozomi from 213.165.154.53 > May 2 01:09:22 QORVUS1 kernel: multicast > May 2 01:09:23 QORVUS1 sshd[23438]: Illegal user nyx from 213.165.154.53 > May 2 01:09:25 QORVUS1 sshd[23441]: Illegal user oki from 213.165.154.53 > May 2 01:09:26 QORVUS1 sshd[23444]: Illegal user ok from 213.165.154.53 > May 2 01:09:28 QORVUS1 sshd[23446]: Illegal user oky from 213.165.154.53 > May 2 01:09:29 QORVUS1 sshd[23448]: Illegal user oke from 213.165.154.53 > May 2 01:09:31 QORVUS1 sshd[23485]: Illegal user olga from 213.165.154.53 > May 2 01:09:33 QORVUS1 sshd[23487]: Illegal user oliver from 213.165.154.53 > May 2 01:09:34 QORVUS1 sshd[23489]: Illegal user on from 213.165.154.53 > May 2 01:09:36 QORVUS1 sshd[23492]: Illegal user oprah from 213.165.154.53 > May 2 01:09:37 QORVUS1 sshd[23494]: Illegal user orion from 213.165.154.53 > May 2 01:09:39 QORVUS1 sshd[23496]: Illegal user otto from 213.165.154.53 > May 2 01:09:41 QORVUS1 sshd[23498]: Illegal user owen from 213.165.154.53 > May 2 01:09:42 QORVUS1 sshd[23500]: Illegal user oz from 213.165.154.53 > May 2 01:09:44 QORVUS1 sshd[23502]: Illegal user ozzy from 213.165.154.53 > May 2 01:09:45 QORVUS1 sshd[23519]: Illegal user pablo from 213.165.154.53 > -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: [email protected] Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
