Msg#: 3800859 posted 5:57 am on Dec 6, 2008 (gmt 0)
I'd suspect that sshd is still listening on the default port as well as the custom one. 10,000 attempts on a custom port seems quite unusual. Also, LogWatch shouldn't report attempts on invalid ports, unless it's reading an iptables log (and by default, there isn't an iptables log).
Msg#: 3800859 posted 4:33 pm on Dec 8, 2008 (gmt 0)
You might be right about it still listening on the default port.
I use Webmin and there are 2 sections for ports. The first section is "Listen on Address" and as a second part of that "Listen on port" where default was radio box selected. Right below that was a single entry called "Listen on Port" where I had changed the port.
I just changed the first section to use the new port and will see if that decreases the number of attempts today.
I've recently saw a PAM module that did the same thing. I need to dig up the link. I like the PAM module as it is relatively transparent to most applications and protects SSH as well as other systems that use PAM authentication.
Msg#: 3800859 posted 11:32 pm on Jan 14, 2009 (gmt 0)
We've introduced port knocking a while back ... gives you that extra feeling of security because no brute force-tries are coming through. plus it's nice to look at auth.log and actually see relevant data ... funny enough I was looking at it and saw that one webdesigner continually failed to log in ... so I called him and asked if he had forgotten his password, turns out, he was just seconds away from calling me and got spooked ;)