More SSH 'trolling'

[Pasha]

Brian Fahrlander wrote:

>    I just got a notice from LogWatch with the dire warning "POSSIBLE
>BREAKIN ATTEMPT!".  Quite a lot of them, too.  I'm already disabling the
>root login and have /etc/hosts.allow turning away 'unknown' addresses.
>(This version uses that, right? It's unmodified...)
>
>    The typical entry looks like this:
>Oct 13 06:33:14 fahrlander sshd[13361]: warning: /etc/hosts.allow, line 6: can't verify hostname: getaddrinfo(170.67-19-122.reverse.theplanet.com, AF_INET) failed
>Oct 13 06:33:14 fahrlander sshd[13361]: Did not receive identification string from 67.19.122.170
>Oct 13 06:53:08 fahrlander sshd[13468]: warning: /etc/hosts.allow, line 6: can't verify hostname: getaddrinfo(170.67-19-122.reverse.theplanet.com, AF_INET) failed
>Oct 13 06:53:09 fahrlander sshd[13468]: reverse mapping checking getaddrinfo for 170.67-19-122.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
>Oct 13 06:53:09 fahrlander sshd[13468]: User nobody not allowed because not listed in AllowUsers
>Oct 13 06:53:09 fahrlander sshd[13469]: input_userauth_request: illegal user nobody
>
>    And this site hit me 40-50 times trying various usernames, including
>'root' quite a lot. Other names such as patrick, nobody, wwwrun, www,
>cyrus, horde, iceuser, rolo...it doesn't look like anything that, say,
>Cisco would use on their factory defaults.  They also don't look like a
>set of names _I_ would use, so they probably don't know _me_.  Times
>range from 0633-0654...
>
>    Some questions:
>
>    - Anyone else getting this?
>  
>
I used to get a few attempts every day on my home box. I moved ssh to a 
different port and it stopped. As already was discussed on this list, it 
is not real security measure, but it helps very well against script 
kiddies. I also disabled root ssh logon and  defined users allowed to 
log in through ssh.