ssh: Repeated breakin attempts
robert.spam.me.senseless_at_gmail.com
Date: 05/02/05
- Next message: Darko Gavrilovic: "Re: Linux Firewall Suggestion"
- Previous message: Enkidu: "Re: Linux Firewall Suggestion"
- Next in thread: Michael Pelletier: "Re: ssh: Repeated breakin attempts"
- Reply: Michael Pelletier: "Re: ssh: Repeated breakin attempts"
- Reply: Jani Mikkonen: "Re: ssh: Repeated breakin attempts"
- Reply: muxaul_at_lenta.ru: "Re: ssh: Repeated breakin attempts"
- Reply: Unruh: "Re: ssh: Repeated breakin attempts"
- Reply: Llanzlan Klazmon: "Re: ssh: Repeated breakin attempts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 2 May 2005 02:32:50 -0700
Today I found hundreds of the following in my /var/log/auth.log:
May 2 08:12:01 debian sshd[16918]: Could not reverse map address
64.132.35.43.
May 2 08:12:04 debian sshd[16920]: Could not reverse map address
64.132.35.43.
May 2 08:12:06 debian sshd[16922]: Could not reverse map address
64.132.35.43.
This is occasionally punctuated with the following:
May 2 08:12:47 debian sshd[16955]: User XXXX not allowed because none
of
user's groups are listed in AllowGroups
Where XXXX is a valid user name on my system - who is denied access via
ssh.
Occasionally I get
May 2 07:59:30 debian PAM_unix[16273]: authentication failure; (uid=0)
->
YYYY for ssh service
May 2 07:59:32 debian sshd[16273]: Failed password for YYYY from
64.132.35.43 port 39023 ssh2
May 2 07:59:35 debian sshd[16275]: Could not reverse map address
64.132.35.43.
Where YYYY is a user who has permission to log in remotely via ssh.
There seem to be bursts of this sort of activity every day or two, from
different addresses.
I only have a very limited number of users who are able to log in
through
ssh, and the users who can have good passwords, so I assume that the
chance
of a successful breakin is low.
What concerns me is that the attackers seem to be able to retrieve the
names
of users on my system. How do they do that, and how can I prevent it?
I am running Woody, with up-to-date patches, behind a cheap hardware
firewall-router. Open ports are 22 (sshd), 25 (sendmail), 80 (apache),
443
(apache-ssl), 993 (courier-imap over ssl) and 995 (courier-pop over
ssl).
- Next message: Darko Gavrilovic: "Re: Linux Firewall Suggestion"
- Previous message: Enkidu: "Re: Linux Firewall Suggestion"
- Next in thread: Michael Pelletier: "Re: ssh: Repeated breakin attempts"
- Reply: Michael Pelletier: "Re: ssh: Repeated breakin attempts"
- Reply: Jani Mikkonen: "Re: ssh: Repeated breakin attempts"
- Reply: muxaul_at_lenta.ru: "Re: ssh: Repeated breakin attempts"
- Reply: Unruh: "Re: ssh: Repeated breakin attempts"
- Reply: Llanzlan Klazmon: "Re: ssh: Repeated breakin attempts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
