[The is a security configuration question. Let me try it here to see if I can some valuable inputs before heading to newsgroup]
Hi, I used to turn on my sshd just in case that I need to ssh back into my box. But recently, I noticed that whenever I turn it on, almost instantly, there will be a cracker attempting cracking into my sshd: $ tail -15 /var/log/auth.log Oct 6 10:52:05 cxmr sshd[7374]: Invalid user deutch from 220.229.57.152 Oct 6 10:52:05 cxmr sshd[7374]: Address 220.229.57.152 maps to adsl-220-229-57-152.kh.sparqnet.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Oct 6 10:52:05 cxmr sshd[7374]: (pam_unix) check pass; user unknown Oct 6 10:52:05 cxmr sshd[7374]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.229.57.152 Oct 6 10:52:07 cxmr sshd[7374]: Failed password for invalid user deutch from 220.229.57.152 port 46369 ssh2 Oct 6 10:52:10 cxmr sshd[7379]: Invalid user german from 220.229.57.152 Oct 6 10:52:10 cxmr sshd[7379]: Address 220.229.57.152 maps to adsl-220-229-57-152.kh.sparqnet.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Oct 6 10:52:10 cxmr sshd[7379]: (pam_unix) check pass; user unknown Oct 6 10:52:10 cxmr sshd[7379]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.229.57.152 Oct 6 10:52:12 cxmr sshd[7379]: Failed password for invalid user german from 220.229.57.152 port 46536 ssh2 Oct 6 10:52:20 cxmr sshd[7384]: Invalid user hitler from 220.229.57.152 Oct 6 10:52:20 cxmr sshd[7384]: Address 220.229.57.152 maps to adsl-220-229-57-152.kh.sparqnet.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Oct 6 10:52:20 cxmr sshd[7384]: (pam_unix) check pass; user unknown Oct 6 10:52:20 cxmr sshd[7384]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.229.57.152 Oct 6 10:52:22 cxmr sshd[7384]: Failed password for invalid user hitler from 220.229.57.152 port 46858 ssh2 What's your recommendation to such situation? PS. 1. I used to track down their ISP and complain about the cracking attempts, but nobody seems to be listening to me, and there has never been any responses. 2. I think the (default Debian) sshd configuration should be changed. Even when someone attempts cracking by typing in user names and passwords manually in front of tty will be penalized. But I've notice my sshd joyfully allows thousands of cracking attempts within minutes. This is rather silly, or incompetent. Please comment. thanks -- Tong (remove underscore(s) to reply) http://xpt.sourceforge.net/techdocs/ http://xpt.sourceforge.net/tools/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
