[clug] SSH attack

Andrew Pollock andrew-clug at andrew.net.au
Tue Jul 26 00:12:11 GMT 2005

On Mon, Jul 25, 2005 at 11:51:22PM +1000, Steve Jenkin wrote:
> Tonight I noticed lots of inbound network activity to an unused host: I
> mapped SSH through the firewall to it.
> First event in log:
> Jun 30 22:58:42 cdr sshd[3536]: Illegal user test from
> Jun 30 22:58:45 cdr sshd[3536]: Failed password for illegal user test
> from port 60518 ssh2
> Could this explain the compromise someone on the list saw recently.

I use Netfilter to slow these down a bit. The attacks are always impatient,
and that is usually their downfall.


There can be a bit of collateral damage with these rules and legitimate SSH
connections originating from lossy networks, so judicious use of
whitelisting is advised.

I find this greatly reduces the noise in the logs without needing to filter
it out altogether.


More information about the linux mailing list