Results 1 to 8 of 8
Thread: Attempted SSHD Login
-
05-29-2004, 05:16 AM #1WHT Addict
- Join Date
- Jan 2004
- Location
- Sydney
- Posts
- 148
Attempted SSHD Login
The last 2 nights I have got my LogWatch delivered to my email.
This has appeared down the bottom of the email:
--------------------- SSHD Begin ------------------------
Didn't receive an ident from these IPs:
dsl81-215-40970.adsl.ttnet.net.tr (81.215.160.10): 3 Time(s)
w80.arrayinc.com (67.104.141.80): 5 Time(s)
It was from a different IP the night before, and has only just started to happen.
Obviously they arent getting in, but has anyone else experienced this sort of thing?
Surely they arent just trying to guess the root pass?
Is there anything more I can do as its quite un-nerving
Cheers!
-
05-29-2004, 05:33 AM #2Web Hosting Master
- Join Date
- Jul 2003
- Location
- Nothing but, net
- Posts
- 2,064
Disable direct root logins and create an obscure username to su with. That will protect you.
-
05-29-2004, 05:47 AM #3Retired Moderator
- Join Date
- Jul 2002
- Location
- Kuwait
- Posts
- 10,620
would me random scanning or so
do as liflesshost said and might consider changing ssh port to another port or soBashar Al-Abdulhadi - KuwaitNET Internet Services Serving customers since 1997
Kuwait's First Webhosting and Domain Registration provider - an ICANN Accredited Registrar
Twitter: Bashar Al-Abdulhadi
-
05-29-2004, 12:06 PM #4Newbie
- Join Date
- May 2004
- Posts
- 7
Originally posted by Bashar
would me random scanning or so
do as liflesshost said and might consider changing ssh port to another port or so
-
05-29-2004, 12:23 PM #5Web Hosting Master
- Join Date
- Jun 2003
- Location
- United States of America
- Posts
- 1,847
ouch man, i hate bein bugged
Computer Steroids - Full service website development solutions since 2001.
(612)234-2768 - Locally owned and operated in the Minneapolis, Minnesota area.
-
05-29-2004, 03:03 PM #6Web Hosting Master
- Join Date
- Jun 2003
- Location
- World Wide Web
- Posts
- 581
Hi,
And also if you want to get to the bottom of it and wants to make your machine accessible from just your ip : use this handy rule in iptables :
/sbin/iptables -I INPUT -p tcp -s ! yourip --dport 22:22 -j DROPSupportExpertz.com - the name says it all!
Managed Cloud Servers
Server Management and Monitoring
24x7 outsourced customer support
-
05-30-2004, 02:05 AM #7WHT Addict
- Join Date
- Jan 2004
- Location
- Sydney
- Posts
- 148
Thanks for the help guys
Hopefully this will stop!
I just cant believe they are trying to guess the pass. I mean wtf?
-
05-30-2004, 02:30 AM #8Web Hosting Evangelist
- Join Date
- Feb 2003
- Location
- United Kingdom
- Posts
- 522
This is a particularly nice script: http://www.rfxnetworks.net/bfd.php.
It's always interesting to see attempts at comprimising root (if you're that way inclined of course - it could have the inverse effect and make you very, very paranoid!).
Kevin