What to do with a constant flow of attempts to login to my compuet?

What to do with a constant flow of attempts to login to my compuet?

Boaz Rymland boaz at rymland.com
Sun Jan 3 17:08:32 IST 2010 

To add my list:

* verify there are as least as possible users on the machine. Unused user?
either purge or disable (login shell set to /bin/false or the like; home
dir set to /not/here).
* verify users on machine not have easy to guess password.
* indeed move sshd to listen to its NON default port
* shutdown and remove any unneeded software/services including and
specifically any web applications that are not used.
* keep your installed applications updated and keep an eye on software
updates. I once had an unsuccessful break-in attempt that was trying to
exploit some bug in a webmail application that was not used. The bug was
two weeks old at the time. Both of the break in cases I described were of
my 24/7 home machine I had running for years (but not anymore), not some
high traffic IP address so this is rather common these days.

Boaz.

On Sun, 03 Jan 2010 09:51:05 -0500, Boaz Rymland <boaz at rymland.com> wrote:
> This is so common these days I heard years ago people filtering out such
> messages.
> 
> Just check your machine carefully - I once had a break-in that was caused
> from a stupid chain of mistakes: i switched sshd to listen on its default
> port (22) for some time (instead of some arbitrary port as it was used to
> be) + router forwarded 22 connections to the linux machine (as needed for
> SSH to work) + yes, there was a little issue of a test user I once
created,
> named "test" with password "test"... . Violla! a robot sounded the
"bingo!"
> alarm somewhere... . I had to reinstall my machine (which wasn't that
bad,
> but still...).
> 
> Lesson? carefully check your machine's "entry points" and as much as you
> can - try not to assume things to be in certain status before checking
that
> (like, "I don't have stupid test users on machines" - check your
configured
> users) as that can fail you. In other words - don't presume anything.
Check
> it, to evaluate your status.
> 
> Boaz.
> 
> On Sun, 3 Jan 2010 16:34:29 +0200, Gabor Szabo <szabgab at gmail.com> wrote:
>> I just noticed someone bombarding my machine trying to login via ssh.
>>>From auth.log
>> 
>> Jan  3 06:31:48 s6 sshd[22774]: Failed password for invalid user
>> amavisd from 202.138.142.216 port 35172 ssh2
>> Jan  3 06:31:48 s6 sshd[22773]: Failed password for invalid user
>> clamav from 202.138.142.216 port 39941 ssh2
>> Jan  3 06:31:49 s6 sshd[22780]: Invalid user clamav from 202.138.142.216
>> Jan  3 06:31:49 s6 sshd[22780]: pam_unix(sshd:auth): check pass; user
>> unknown
>> Jan  3 06:31:49 s6 sshd[22780]: pam_unix(sshd:auth): authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.138.142.216
>> Jan  3 06:31:49 s6 sshd[22781]: Invalid user appserver from
> 202.138.142.216
>> Jan  3 06:31:49 s6 sshd[22781]: pam_unix(sshd:auth): check pass; user
>> unknown
>> Jan  3 06:31:49 s6 sshd[22781]: pam_unix(sshd:auth): authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.138.142.216
>> Jan  3 06:31:52 s6 sshd[22780]: Failed password for invalid user
>> clamav from 202.138.142.216 port 35699 ssh2
>> Jan  3 06:31:52 s6 sshd[22781]: Failed password for invalid user
>> appserver from 202.138.142.216 port 40470 ssh2
>> 
>> 
>> So what is your suggestion. What to do with it?
>> 
>> Gabor
>> 
>> _______________________________________________
>> Linux-il mailing list
>> Linux-il at cs.huji.ac.il
>> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
> 
> _______________________________________________
> Linux-il mailing list
> Linux-il at cs.huji.ac.il
> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

More information about the Linux-il mailing list