Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] Blocking bad sshd bruteforce attempt



On Tue, 2006-07-11 at 15:33 +0900, Birkir A. Barkarson wrote:
> Hung Vu Nguyen wrote:
> > Hi all,
> > 
> > I have openssh 3.7p1 running  on port 22 in Debian ( quite old
> > version). The kernel is 2.4.30 with openwall patched. I also have
> > logwatch and logcheck running and they send me security report
> > everyday.
> > 
> >>From logcheck:
> > 
> > Security Events
> > =-=-=-=-=-=-=-=
> > Jul 11 07:02:05 aoclife sshd[24861]: Illegal user sysadmin from 202.158.162.53
> > Jul 11 07:02:05 aoclife sshd[24861]: Failed password for illegal user
> > sysadmin from 202.158.162.53 port 37391 ssh2
> > Jul 11 07:02:05 aoclife sshd[24902]: Illegal user sysadmin from 202.158.162.53
> > 
> > I don't worry about that because 'he' is just bruteforcing me. My sshd
> > is secured /etc/hosts.allow .
> > 
> > And from logwatch:
> > 
> >   hidekazu/password from 211.96.27.90: 1 Time(s)
> >   hirofumi/password from 211.96.27.90: 1 Time(s)
> >   hirohisa/password from 211.96.27.90: 1 Time(s)
> >   hirokazu/password from 211.96.27.90: 1 Time(s)
> >   hiroshi/password from 211.96.27.90: 1 Time(s)
> >   hisashi/password from 211.96.27.90: 1 Time(s)
> >   hitoshi/password from 211.96.27.90: 1 Time(s)
> > 
> > japanese usernames :D. Because my server is running an DDNS with .jp
> > in the end so I think that it is not an automated bruteforce attempt.
> > And I want to block such kind of attempt *automatically*. If we can
> > block those IPs with iptables -j REJECT, then the log will be much
> > cleaner ( 250KB each time is so annoying ).
> > 
> > I remember that someone in TLUG has posted a ruby (?) script to the
> > list but I couldn't find the post in the archives.
> > 
> > Please share your ideas.
> > 
> 
> I run SSHD on a port in the 2000 range, haven't had a single 
> unauthorized login attempt since I put the system up around Nov last 
> year.  Figure it's always good to stay away from the defaults if you 
> can.  (Security through obscurity perhaps)
My setting is similar and while it doesn't drop unauthorized connections
or log further nefarious activity, it does keep the log clean. 

Defiantly not perfect but if all your worried about is the logs. 


> BAB
> 



Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links