What to do with a constant flow of attempts to login to my compuet?

What to do with a constant flow of attempts to login to my compuet?

sara fink sara.fink at gmail.com
Sun Jan 3 16:57:49 IST 2010 

Few suggestions:
1. after 3 unsuccesful logins knock the user out (no matter who is the
user).
2. ban the ip in iptables. you can see it's the same ip all the time. this
ip is from the Philippines
http://www.dnsstuff.com/tools/ipall/?tool_id=67&token=&toolhandler_redirect=0&ip=202.138.142.216
3. check if you happen to have root login via ssh and disable it, in case
this options appears.  check in ssh.conf options
4. move to other port other than 22 is a good practice, but in this case,
they  scan your ports, so it won't help.

On Sun, Jan 3, 2010 at 4:34 PM, Gabor Szabo <szabgab at gmail.com> wrote:

> I just noticed someone bombarding my machine trying to login via ssh.
> >From auth.log
>
> Jan  3 06:31:48 s6 sshd[22774]: Failed password for invalid user
> amavisd from 202.138.142.216 port 35172 ssh2
> Jan  3 06:31:48 s6 sshd[22773]: Failed password for invalid user
> clamav from 202.138.142.216 port 39941 ssh2
> Jan  3 06:31:49 s6 sshd[22780]: Invalid user clamav from 202.138.142.216
> Jan  3 06:31:49 s6 sshd[22780]: pam_unix(sshd:auth): check pass; user
> unknown
> Jan  3 06:31:49 s6 sshd[22780]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.138.142.216
> Jan  3 06:31:49 s6 sshd[22781]: Invalid user appserver from 202.138.142.216
> Jan  3 06:31:49 s6 sshd[22781]: pam_unix(sshd:auth): check pass; user
> unknown
> Jan  3 06:31:49 s6 sshd[22781]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.138.142.216
> Jan  3 06:31:52 s6 sshd[22780]: Failed password for invalid user
> clamav from 202.138.142.216 port 35699 ssh2
> Jan  3 06:31:52 s6 sshd[22781]: Failed password for invalid user
> appserver from 202.138.142.216 port 40470 ssh2
>
>
> So what is your suggestion. What to do with it?
>
> Gabor
>
> _______________________________________________
> Linux-il mailing list
> Linux-il at cs.huji.ac.il
> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20100103/54e60191/attachment.html>

More information about the Linux-il mailing list