Results 1 to 8 of 8
  1. #1
    Join Date
    Jan 2004
    Location
    Sydney
    Posts
    148

    Attempted SSHD Login

    The last 2 nights I have got my LogWatch delivered to my email.

    This has appeared down the bottom of the email:

    --------------------- SSHD Begin ------------------------

    Didn't receive an ident from these IPs:
    dsl81-215-40970.adsl.ttnet.net.tr (81.215.160.10): 3 Time(s)
    w80.arrayinc.com (67.104.141.80): 5 Time(s)

    It was from a different IP the night before, and has only just started to happen.

    Obviously they arent getting in, but has anyone else experienced this sort of thing?

    Surely they arent just trying to guess the root pass?

    Is there anything more I can do as its quite un-nerving

    Cheers!

  2. #2
    Join Date
    Jul 2003
    Location
    Nothing but, net
    Posts
    2,064
    Disable direct root logins and create an obscure username to su with. That will protect you.

  3. #3
    Join Date
    Jul 2002
    Location
    Kuwait
    Posts
    10,620
    would me random scanning or so

    do as liflesshost said and might consider changing ssh port to another port or so
    Bashar Al-Abdulhadi - KuwaitNET Internet Services Serving customers since 1997
    Kuwait's First Webhosting and Domain Registration provider - an ICANN Accredited Registrar

    Twitter: Bashar Al-Abdulhadi

  4. #4
    Originally posted by Bashar
    would me random scanning or so

    do as liflesshost said and might consider changing ssh port to another port or so
    use the AllowGroups setting in /etc/ssh/sshd_config so that all users in a special group can have ssh access..a nice way to get control over it.!

  5. #5
    Join Date
    Jun 2003
    Location
    United States of America
    Posts
    1,847
    ouch man, i hate bein bugged
    Computer Steroids - Full service website development solutions since 2001.
    (612)234-2768 - Locally owned and operated in the Minneapolis, Minnesota area.

  6. #6
    Join Date
    Jun 2003
    Location
    World Wide Web
    Posts
    581
    Hi,
    And also if you want to get to the bottom of it and wants to make your machine accessible from just your ip : use this handy rule in iptables :

    /sbin/iptables -I INPUT -p tcp -s ! yourip --dport 22:22 -j DROP
    SupportExpertz.com - the name says it all!
    Managed Cloud Servers
    Server Management and Monitoring
    24x7 outsourced customer support

  7. #7
    Join Date
    Jan 2004
    Location
    Sydney
    Posts
    148
    Thanks for the help guys

    Hopefully this will stop!

    I just cant believe they are trying to guess the pass. I mean wtf?

  8. #8
    Join Date
    Feb 2003
    Location
    United Kingdom
    Posts
    522
    This is a particularly nice script: http://www.rfxnetworks.net/bfd.php.

    It's always interesting to see attempts at comprimising root (if you're that way inclined of course - it could have the inverse effect and make you very, very paranoid!).

    Kevin

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •