[K12OSN] How do I stop attempted logins

["Terrell Prudé, Jr."]

Yes, there is.  I get this all the time as well.

What you do is simply do a whois on those IP addresses to find the 
provider associated with them.  Since they're coming from Asia, it is 
safe to just use iptables to block those entire subnets to your 
server...unless you actually have a business need for someone from Asia 
to be ssh'ing to your box.  :-)  Most of the providers over there are 
using /16's, and so a few iptables rules are quite sufficient to block a 
bunch of them in one fell swoop.  Sometimes you can combine more than 
one provider's IP address range in a single iptables rule.  I do this at 
home with very good results; my logs are filling up considerably more 
slowly than before.

--TP

Dr. Daniel Loomis wrote:

>I have remote access setup for our server so I can transfer files, check
>logs, and do maintenance from home.  I have it setup using a
>public/private key-pair, with password login disabled.  Root logins are
>also disabled.  I have it setup to only allow one non-privileged user in
>the /etc/ssh/sshd_config file.
>
>No login prompt is ever presented to the outside world on port 22. 
>However, I still get hundreds of attempts each day from automated probes
>usually at intervals of 1-2 seconds.  None have been able to breakin
>since I do not accept password logins.  Here is what is presented to
>anyone trying to login on port 22:
>
>  FIRST PRESBYTERIAN CHURCH LIBRARY
>  Password Login = Disabled
>  Permission denied (publickey).
>
>
>I have considered changing to a non-standard port, but I suspect that a
>simple portscan would quickly discover it and the attempts would
>continue.
>
>My /var/log/secure files are filling up fast with these repeated breakin
>attempts.  I have done a whois on several of the addresses.  Most seem
>to be coming from Taiwan and other places in Asia.
>
>Is there some way to stop this infernal nuisance?  
>
>RevCurmudgeon
>
>
>  
>