[ILUG] Breakins attempted - advice please
John Allen
john.allen at dublinux.net
Wed Aug 27 15:39:07 IST 2008
I'm using shorewall, and the following line in my rules file practially
stopped all the brute force attacks
ACCEPT all $FW tcp ssh - - 8/min:2
John Kinsella wrote:
> Hi,
> no flames please!
>
> I'm being regularly subjected to what appear to auth.log (and me) to
> be attempted breakins on my office desktop machine (Ubuntu Hearty
> Heron with Firestarter firewall)
> e.g.
>
> ==============8<===========
> Aug 27 11:56:18 jkcray sshd[15664]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=200.78.212.68 user=root
> Aug 27 11:56:20 jkcray sshd[15664]: Failed password for root from
> 200.78.212.68 port 34256 ssh2
> Aug 27 11:56:22 jkcray sshd[15666]: reverse mapping checking
> getaddrinfo for na-200-78-212-68.na.avantel.net.mx [200.78.212.68]
> failed - POSSIBLE BREAK-IN ATTEMPT!
> Aug 27 11:56:22 jkcray sshd[15666]: Invalid user magazine from
> 200.78.212.68
> Aug 27 11:56:22 jkcray sshd[15666]: pam_unix(sshd:auth): check pass;
> user unknown
> Aug 27 11:56:22 jkcray sshd[15666]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=200.78.212.68
> Aug 27 11:56:24 jkcray sshd[15666]: Failed password for invalid user
> magazine from 200.78.212.68 port 34486 ssh2
> ==============8<===========
>
> I'd like to keep sshd running so I can log in from home.
>
> Other than changine firewall settings to block all but my ISP's IP
> addresses for access via ssh is there anything else that I should be
> looking at?
>
> Thanks
>
> John
>
More information about the ILUG
mailing list