[clug] SSH attack
Steve Jenkin
sjenkin at canb.auug.org.au
Mon Jul 25 13:51:22 GMT 2005
Tonight I noticed lots of inbound network activity to an unused host: I
mapped SSH through the firewall to it.
First event in log:
Jun 30 22:58:42 cdr sshd[3536]: Illegal user test from 66.235.160.30
Jun 30 22:58:45 cdr sshd[3536]: Failed password for illegal user test
from 66.235.160.30 port 60518 ssh2
Could this explain the compromise someone on the list saw recently.
I've created two lists from the attempts I've seen in /var/log/secure,
URL's below. Hope this is helpful to some of you out there. The first
number in the file is the count.
http://tip.net.au/~sjenkin/hack-ipnr.txt
http://tip.net.au/~sjenkin/hack-logins.txt
BTW: I've read the man page for 'sshd_config', and it seems pretty
sketchy to me on how to limit connections to sshd. All I found was:
=> AllowUsers USER at HOST
Doesn't seem to understand limiting to subnets or denying from address
ranges, say like Apache... Did I get this right?
cheers
steve
--
Steve Jenkin, Unix Sys Admin
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA
mailto:sjenkin at canb.auug.org.au http://www.tip.net.au/~sjenkin
More information about the linux
mailing list