ssh security

[jdow]

From: "Gerald" <gwichman at gmail.com>

> It looks like i'm getting a dictionary attack on my system. I moved
> ssh to another port instead of 22 in hopes that would put a halt to it
> but it did not. Any recommendations to improve security here? I notice
> these attacks come from a variety of IP's so pursuing one individual
> is probably not worthwhile.
> 
> [root at corona ~]# tail /var/log/secure
> Dec 25 17:51:09 corona sshd[24704]: Failed password for invalid user
> turid from ::ffff:203.115.124.116 port 38370 ssh2
> Dec 25 17:51:12 corona sshd[24707]: Invalid user turnage from
> ::ffff:203.115.124.116
> Dec 25 17:51:14 corona sshd[24707]: Failed password for invalid user
> turnage from ::ffff:203.115.124.116 port 38886 ssh2
> Dec 25 17:51:18 corona sshd[24710]: Invalid user turnbough from
> ::ffff:203.115.124.116
> Dec 25 17:51:20 corona sshd[24710]: Failed password for invalid user
> turnbough from ::ffff:203.115.124.116 port 39397 ssh2
> Dec 25 17:51:22 corona sshd[24713]: Invalid user turner from
> ::ffff:203.115.124.116
> Dec 25 17:51:25 corona sshd[24713]: Failed password for invalid user
> turner from ::ffff:203.115.124.116 port 40228 ssh2
> Dec 25 17:51:27 corona sshd[24716]: Invalid user tursun from
> ::ffff:203.115.124.116
> Dec 25 17:51:30 corona sshd[24716]: Failed password for invalid user
> tursun from ::ffff:203.115.124.116 port 40714 ssh2
> Dec 25 21:20:46 corona sshd[24897]: Accepted password for root from
> ::ffff:10.1.1.17 port 4500 ssh2
> [root at corona ~]#

Unless the last one was you, Gerald, your machine is no longer your
machine. Disconnect it, save important data, reformat, and reload your
software from KNOWN GOOD backups.

{^_^}