mcavic
msg:3801453 | 5:57 am on Dec 6, 2008 (gmt 0) |
I'd suspect that sshd is still listening on the default port as well as the custom one. 10,000 attempts on a custom port seems quite unusual. Also, LogWatch shouldn't report attempts on invalid ports, unless it's reading an iptables log (and by default, there isn't an iptables log).
|
BradleyT
msg:3802636 | 4:33 pm on Dec 8, 2008 (gmt 0) |
You might be right about it still listening on the default port. I use Webmin and there are 2 sections for ports. The first section is "Listen on Address" and as a second part of that "Listen on port" where default was radio box selected. Right below that was a single entry called "Listen on Port" where I had changed the port. I just changed the first section to use the new port and will see if that decreases the number of attempts today. Thanks for the suggestion.
|
vincevincevince
msg:3806835 | 4:47 pm on Dec 13, 2008 (gmt 0) |
10k attempts is nothing unusual. If I feel like it, I will report the most persistent offenders.
whois the.ip.add.ress
Abuse email details for their ISP are usually listed.
|
Nutter
msg:3815379 | 4:22 am on Dec 29, 2008 (gmt 0) |
That's about what I was getting before switching ports. Now when I get a notice about an invalid login it's usually me mistyping my password.
|
jeffatrackaid
msg:3826556 | 11:22 pm on Jan 14, 2009 (gmt 0) |
If you can limit access via iptables, then you can block all of this. Most versions of SSH use tcp wrappers so you can use /etc/host.allow /etc/host.deny if you are not comfortable using iptables. Also there are some options within SSH itself that can help. MaxAuthTries # This limits the number of password attempts per connection. For a brute-force attack a low number means the attacker has to initiate another connection to the server. This slows down the attack. You could switch to key only authentication and disable passwords completely. Lastly, there are tools such as DenyHosts:
[denyhosts.sourceforge.net...]
Which can auto-block offending IP addresses. I've recently saw a PAM module that did the same thing. I need to dig up the link. I like the PAM module as it is relatively transparent to most applications and protects SSH as well as other systems that use PAM authentication.
|
janharders
msg:3826565 | 11:32 pm on Jan 14, 2009 (gmt 0) |
We've introduced port knocking a while back ... gives you that extra feeling of security because no brute force-tries are coming through.
plus it's nice to look at auth.log and actually see relevant data ... funny enough I was looking at it and saw that one webdesigner continually failed to log in ... so I called him and asked if he had forgotten his password, turns out, he was just seconds away from calling me and got spooked ;)
|
|
