[K12OSN] How do I stop attempted logins

Rob Owens hick518 at yahoo.com
Tue Mar 22 11:28:07 UTC 2005 

I do something similar at home.  I do not allow ssh
attempts from anywhere except for a few blocks of IP
addresses that I specifically define.  

In your case, find out your current public IP address
at home.  Enter it into the dialog box at this site: 
www.checkdomain.com  It will tell you your ISP's name
and what blocks of IP addresses they own.  Simply
allow ssh attempts from that block of IP addresses and
you know you will always be allowed access to your
server, even if your dynamic IP address at home
changes.

-Rob

--- "Terrell Prudé, Jr." <microman at cmosnetworks.com>
wrote:
> Yes, there is.  I get this all the time as well.
> 
> What you do is simply do a whois on those IP
> addresses to find the 
> provider associated with them.  Since they're coming
> from Asia, it is 
> safe to just use iptables to block those entire
> subnets to your 
> server...unless you actually have a business need
> for someone from Asia 
> to be ssh'ing to your box.  :-)  Most of the
> providers over there are 
> using /16's, and so a few iptables rules are quite
> sufficient to block a 
> bunch of them in one fell swoop.  Sometimes you can
> combine more than 
> one provider's IP address range in a single iptables
> rule.  I do this at 
> home with very good results; my logs are filling up
> considerably more 
> slowly than before.
> 
> --TP
> 
> Dr. Daniel Loomis wrote:
> 
> >I have remote access setup for our server so I can
> transfer files, check
> >logs, and do maintenance from home.  I have it
> setup using a
> >public/private key-pair, with password login
> disabled.  Root logins are
> >also disabled.  I have it setup to only allow one
> non-privileged user in
> >the /etc/ssh/sshd_config file.
> >
> >No login prompt is ever presented to the outside
> world on port 22. 
> >However, I still get hundreds of attempts each day
> from automated probes
> >usually at intervals of 1-2 seconds.  None have
> been able to breakin
> >since I do not accept password logins.  Here is
> what is presented to
> >anyone trying to login on port 22:
> >
> >  FIRST PRESBYTERIAN CHURCH LIBRARY
> >  Password Login = Disabled
> >  Permission denied (publickey).
> >
> >
> >I have considered changing to a non-standard port,
> but I suspect that a
> >simple portscan would quickly discover it and the
> attempts would
> >continue.
> >
> >My /var/log/secure files are filling up fast with
> these repeated breakin
> >attempts.  I have done a whois on several of the
> addresses.  Most seem
> >to be coming from Taiwan and other places in Asia.
> >
> >Is there some way to stop this infernal nuisance?  
> >
> >RevCurmudgeon
> >
> >
> >  
> >
> 
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
> 


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/

More information about the K12OSN mailing list