how to react on ssh attacks?
Stephanus Fengler
fengler at uiuc.edu
Mon Oct 24 09:49:21 UTC 2005
Dear list readers,
I know that this is not a security list but it seems a good starting
point for me as an ordinary user to ask whether someone can point me in
the right direction.
I recently checked my log files of my ssh service (so far as I
understand this is my only service open) and realized that from the very
same IP I got a lot of request trying to guess a user name on my system,
I assume. Since login name always changes in even chronological
alphabetical order.
So shell I worry about it or do I need to do some countermeasures?
Request look like:
Oct 23 10:49:42 ********* sshd[15806]: Failed password for root from
81.208.32.170 port 1354 ssh2
Oct 23 10:49:45 ********* sshd[15809]: Failed password for root from
81.208.32.170 port 1507 ssh2
Oct 23 10:49:47 ********* sshd[15811]: Failed password for root from
81.208.32.170 port 1654 ssh2
Oct 23 10:49:50 ********* sshd[15813]: Failed password for root from
81.208.32.170 port 1798 ssh2
Oct 23 10:49:53 ********* sshd[15815]: Failed password for root from
81.208.32.170 port 1947 ssh2
Oct 23 10:49:56 ********* sshd[15817]: Failed password for root from
81.208.32.170 port 2098 ssh2
Oct 23 10:49:59 ********* sshd[15821]: Failed password for root from
81.208.32.170 port 2241 ssh2
...
and
Oct 23 11:01:32 ********* sshd[16367]: Invalid user dakota from
81.208.32.170
Oct 23 11:01:34 ********* sshd[16367]: Failed password for invalid user
dakota from 81.208.32.170 port 3920 ssh2
Oct 23 11:01:35 ********* sshd[16369]: Invalid user dustin from
81.208.32.170
Oct 23 11:01:37 ********* sshd[16369]: Failed password for invalid user
dustin from 81.208.32.170 port 4083 ssh2
Oct 23 11:01:38 ********* sshd[16371]: Invalid user derek from 81.208.32.170
...
going on for a while.....
If someone can point me in the right direction what to do and what
certainly not to do I would be thankful.
Thanks,
fengler
More information about the fedora-list
mailing list