[clug] SSH attack
Andrew Pollock
andrew-clug at andrew.net.au
Tue Jul 26 00:12:11 GMT 2005
On Mon, Jul 25, 2005 at 11:51:22PM +1000, Steve Jenkin wrote:
> Tonight I noticed lots of inbound network activity to an unused host: I
> mapped SSH through the firewall to it.
>
> First event in log:
> Jun 30 22:58:42 cdr sshd[3536]: Illegal user test from 66.235.160.30
> Jun 30 22:58:45 cdr sshd[3536]: Failed password for illegal user test
> from 66.235.160.30 port 60518 ssh2
>
> Could this explain the compromise someone on the list saw recently.
I use Netfilter to slow these down a bit. The attacks are always impatient,
and that is usually their downfall.
http://blog.andrew.net.au/2005/02/17#ipt_recent_and_ssh_attacks
There can be a bit of collateral damage with these rules and legitimate SSH
connections originating from lossy networks, so judicious use of
whitelisting is advised.
I find this greatly reduces the noise in the logs without needing to filter
it out altogether.
regards
Andrew
More information about the linux
mailing list