A good idea as well is to just make your ssh server listen on a port other than the default one. This will break script kiddie automated SSH scanners.
Of course it doesn't stop real hackers. But it will stop most of the dictionary attacks and stop filling your logs. I had the same problem before. Most of the attacks originated from Asia. Michael --- In [email protected], "Shaikh Yunus" <[EMAIL PROTECTED]> wrote: > > hi > I handle this through iptables, there is a patch avaliable by stephen frost > , I think now its in mainstream kernel . > > iptables -t filter -t ${EXTIFACE}-A INPUT -p tcp --dport 22 -m recent -m > state --state NEW --name LIMIT22 --set > > iptables -t filter -t ${EXTIFACE}-A INPUT -p tcp --dport 22 -m recent -m > state --state NEW --name LIMIT22 --update --seconds 60 --hitcount ${HITS} -j > DROP > > The Above Rules will allow Number of HITS connections in 1 Minute . > you can set HITS to 3-4 . > > thanks n regards > > Yunus > > > > > Hello guys, > > > > > > Recently, (a month or two back) I have been seeing a bit of portscans > > and dictionary based attacks on my server. Luckily i have only SSH in > > there, but i find that as days pass by, the scans are becoming more and > > more intensive. > > > > Somebody can comment on the logs that i have ? Something i can do to > > avoid these ? I know that moving the SSH port to an obscure will help, > > but it would be only as long as finding the active port. > > > > In such a case what i can do against the attacker ? > > > > > > Thanks, > > Manu > > > > > > Feb 20 17:03:44 bh sshd[28569]: Invalid user ixess from > > ::ffff:202.26.148.130 > > Feb 20 17:03:47 bh sshd[28571]: Invalid user gnats from > > ::ffff:202.26.148.130 > > Feb 20 17:03:50 bh sshd[28573]: Invalid user gnats from > > ::ffff:202.26.148.130 > > Feb 20 17:03:54 bh sshd[28575]: Invalid user gnats from > > ::ffff:202.26.148.130 > > Feb 20 17:03:57 bh sshd[28577]: Invalid user gnats from > > ::ffff:202.26.148.130 > > Feb 20 17:04:00 bh sshd[28579]: Invalid user mdom from > > ::ffff:202.26.148.130 > > Feb 20 17:04:04 bh sshd[28581]: Invalid user mdom from > > ::ffff:202.26.148.130 > > Feb 20 17:04:07 bh sshd[28583]: Invalid user mdom from > > ::ffff:202.26.148.130 > > Feb 20 17:04:10 bh sshd[28585]: Invalid user mdom from > > ::ffff:202.26.148.130 > > Feb 20 17:04:14 bh sshd[28587]: Invalid user lnx from > > ::ffff:202.26.148.130 > > Feb 20 17:04:17 bh sshd[28589]: Invalid user lnx from > > ::ffff:202.26.148.130 > > Feb 20 17:04:20 bh sshd[28591]: Invalid user lnx from > > ::ffff:202.26.148.130 > > Feb 20 17:04:23 bh sshd[28593]: Invalid user lnx from > > ::ffff:202.26.148.130 > > Feb 20 17:04:27 bh sshd[28595]: Invalid user exam from > > ::ffff:202.26.148.130 > > > > <snip> > > > > Feb 20 18:39:18 bh sshd[28744]: Invalid user theo from > > ::ffff:218.189.146.172 > > Feb 20 18:39:18 bh sshd[28744]: reverse mapping checking getaddrinfo for > > bbs-172-146-189-218.on-nets.com failed - POSSIBLE BREAKIN ATTEMPT! > > Feb 20 18:39:20 bh sshd[28746]: Invalid user theo from > > ::ffff:218.189.146.172 > > Feb 20 18:39:20 bh sshd[28746]: reverse mapping checking getaddrinfo for > > bbs-172-146-189-218.on-nets.com failed - POSSIBLE BREAKIN ATTEMPT! > > Feb 20 18:39:21 bh sshd[28748]: Invalid user theo from > > ::ffff:218.189.146.172 > > Feb 20 18:39:21 bh sshd[28748]: reverse mapping checking getaddrinfo for > > bbs-172-146-189-218.on-nets.com failed - POSSIBLE BREAKIN ATTEMPT! > > Feb 20 18:39:22 bh sshd[28742]: reverse mapping checking getaddrinfo for > > bbs-172-146-189-218.on-nets.com failed - POSSIBLE BREAKIN ATTEMPT! > > Feb 20 18:39:22 bh sshd[28750]: Invalid user philip from > > ::ffff:218.189.146.172 > > Feb 20 18:39:22 bh sshd[28750]: reverse mapping checking getaddrinfo for > > bbs-172-146-189-218.on-nets.com failed - POSSIBLE BREAKIN ATTEMPT! > > > > <snip> > > > > Feb 25 15:50:47 bh sshd[19323]: Invalid user sloan from > > ::ffff:69.56.181.138 > > Feb 25 15:50:47 bh sshd[19323]: reverse mapping checking getaddrinfo for > > 69-56-181-138.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT! > > Feb 25 15:50:49 bh sshd[19325]: Invalid user sloane from > > ::ffff:69.56.181.138 > > Feb 25 15:50:49 bh sshd[19325]: reverse mapping checking getaddrinfo for > > 69-56-181-138.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT! > > Feb 25 15:50:52 bh sshd[19327]: Invalid user snoop from > > ::ffff:69.56.181.138 > > Feb 25 15:50:52 bh sshd[19327]: reverse mapping checking getaddrinfo for > > 69-56-181-138.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT! > > Feb 25 15:50:54 bh sshd[19329]: Invalid user snoopy from > > ::ffff:69.56.181.138 > > Feb 25 15:50:54 bh sshd[19329]: reverse mapping checking getaddrinfo for > > 69-56-181-138.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT! > > Feb 25 15:50:57 bh sshd[19331]: Invalid user sonia from > > ::ffff:69.56.181.138 > > Feb 25 15:50:57 bh sshd[19331]: reverse mapping checking getaddrinfo for > > 69-56-181-138.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT! > > Feb 25 15:50:59 bh sshd[19333]: Invalid user sonny from > > ::ffff:69.56.181.138 > > Feb 25 15:50:59 bh sshd[19333]: reverse mapping checking getaddrinfo for > > 69-56-181-138.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT! > > Feb 25 16:06:43 bh sshd[20113]: Invalid user catherine from > > ::ffff:69.56.181.138 > > Feb 25 16:06:43 bh sshd[20113]: reverse mapping checking getaddrinfo for > > 69-56-181-138.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT! > > > > > > > > > > Yahoo! Groups Links > > > > > > > > > > > > > > -- > Telefonieren Sie schon oder sparen Sie noch? > NEU: GMX Phone_Flat http://www.gmx.net/de/go/telefonie > Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/dubailug/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
