[K12OSN] How do I stop attempted logins
"Terrell Prudé, Jr."
microman at cmosnetworks.com
Tue Mar 22 03:12:51 UTC 2005
Yes, there is. I get this all the time as well.
What you do is simply do a whois on those IP addresses to find the
provider associated with them. Since they're coming from Asia, it is
safe to just use iptables to block those entire subnets to your
server...unless you actually have a business need for someone from Asia
to be ssh'ing to your box. :-) Most of the providers over there are
using /16's, and so a few iptables rules are quite sufficient to block a
bunch of them in one fell swoop. Sometimes you can combine more than
one provider's IP address range in a single iptables rule. I do this at
home with very good results; my logs are filling up considerably more
slowly than before.
--TP
Dr. Daniel Loomis wrote:
>I have remote access setup for our server so I can transfer files, check
>logs, and do maintenance from home. I have it setup using a
>public/private key-pair, with password login disabled. Root logins are
>also disabled. I have it setup to only allow one non-privileged user in
>the /etc/ssh/sshd_config file.
>
>No login prompt is ever presented to the outside world on port 22.
>However, I still get hundreds of attempts each day from automated probes
>usually at intervals of 1-2 seconds. None have been able to breakin
>since I do not accept password logins. Here is what is presented to
>anyone trying to login on port 22:
>
> FIRST PRESBYTERIAN CHURCH LIBRARY
> Password Login = Disabled
> Permission denied (publickey).
>
>
>I have considered changing to a non-standard port, but I suspect that a
>simple portscan would quickly discover it and the attempts would
>continue.
>
>My /var/log/secure files are filling up fast with these repeated breakin
>attempts. I have done a whois on several of the addresses. Most seem
>to be coming from Taiwan and other places in Asia.
>
>Is there some way to stop this infernal nuisance?
>
>RevCurmudgeon
>
>
>
>
More information about the K12OSN
mailing list