What to do with a constant flow of attempts to login to my compuet?

What to do with a constant flow of attempts to login to my compuet?

Boaz Rymland boaz at rymland.com
Sun Jan 3 16:51:05 IST 2010


This is so common these days I heard years ago people filtering out such
messages.

Just check your machine carefully - I once had a break-in that was caused
from a stupid chain of mistakes: i switched sshd to listen on its default
port (22) for some time (instead of some arbitrary port as it was used to
be) + router forwarded 22 connections to the linux machine (as needed for
SSH to work) + yes, there was a little issue of a test user I once created,
named "test" with password "test"... . Violla! a robot sounded the "bingo!"
alarm somewhere... . I had to reinstall my machine (which wasn't that bad,
but still...).

Lesson? carefully check your machine's "entry points" and as much as you
can - try not to assume things to be in certain status before checking that
(like, "I don't have stupid test users on machines" - check your configured
users) as that can fail you. In other words - don't presume anything. Check
it, to evaluate your status.

Boaz.

On Sun, 3 Jan 2010 16:34:29 +0200, Gabor Szabo <szabgab at gmail.com> wrote:
> I just noticed someone bombarding my machine trying to login via ssh.
>>From auth.log
> 
> Jan  3 06:31:48 s6 sshd[22774]: Failed password for invalid user
> amavisd from 202.138.142.216 port 35172 ssh2
> Jan  3 06:31:48 s6 sshd[22773]: Failed password for invalid user
> clamav from 202.138.142.216 port 39941 ssh2
> Jan  3 06:31:49 s6 sshd[22780]: Invalid user clamav from 202.138.142.216
> Jan  3 06:31:49 s6 sshd[22780]: pam_unix(sshd:auth): check pass; user
> unknown
> Jan  3 06:31:49 s6 sshd[22780]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.138.142.216
> Jan  3 06:31:49 s6 sshd[22781]: Invalid user appserver from
202.138.142.216
> Jan  3 06:31:49 s6 sshd[22781]: pam_unix(sshd:auth): check pass; user
> unknown
> Jan  3 06:31:49 s6 sshd[22781]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.138.142.216
> Jan  3 06:31:52 s6 sshd[22780]: Failed password for invalid user
> clamav from 202.138.142.216 port 35699 ssh2
> Jan  3 06:31:52 s6 sshd[22781]: Failed password for invalid user
> appserver from 202.138.142.216 port 40470 ssh2
> 
> 
> So what is your suggestion. What to do with it?
> 
> Gabor
> 
> _______________________________________________
> Linux-il mailing list
> Linux-il at cs.huji.ac.il
> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il



More information about the Linux-il mailing list