[ILUG] Breakins attempted - advice please
Paul Mullen
mullen.paul at gmail.com
Wed Aug 27 12:09:30 IST 2008
Hi John,
John Kinsella wrote:
> Hi,
> no flames please!
>
> I'm being regularly subjected to what appear to auth.log (and me) to
> be attempted breakins on my office desktop machine (Ubuntu Hearty
> Heron with Firestarter firewall)
> e.g.
>
> ==============8<===========
> Aug 27 11:56:18 jkcray sshd[15664]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=200.78.212.68 user=root
> Aug 27 11:56:20 jkcray sshd[15664]: Failed password for root from
> 200.78.212.68 port 34256 ssh2
> Aug 27 11:56:22 jkcray sshd[15666]: reverse mapping checking
> getaddrinfo for na-200-78-212-68.na.avantel.net.mx [200.78.212.68]
> failed - POSSIBLE BREAK-IN ATTEMPT!
> Aug 27 11:56:22 jkcray sshd[15666]: Invalid user magazine from
> 200.78.212.68
> Aug 27 11:56:22 jkcray sshd[15666]: pam_unix(sshd:auth): check pass;
> user unknown
> Aug 27 11:56:22 jkcray sshd[15666]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=200.78.212.68
> Aug 27 11:56:24 jkcray sshd[15666]: Failed password for invalid user
> magazine from 200.78.212.68 port 34486 ssh2
> ==============8<===========
>
> I'd like to keep sshd running so I can log in from home.
>
> Other than changine firewall settings to block all but my ISP's IP
> addresses for access via ssh is there anything else that I should be
> looking at?
I'd look at fail2ban or hostdeny which will add a firewall rule after a
configurable number of failed login attempts from a host. Also only use
passphrase protected ssh keys to log into your box and turn off password
auth.
>
> Thanks
>
> John
>
Paul.
More information about the ILUG
mailing list