Possible hacking on SSH what should I do?
Andrej Marjan
amarjan-e+AXbWqSrlAAvxtiuMwx3w at public.gmane.org
Thu Jul 15 03:07:21 UTC 2010
On July 13, 2010 10:16:22 pm you wrote:
> Myles Braithwaite wrote:
> > Some one from a French IP is trying to access one of my servers:
> >
> > Jul 13 15:05:30 fox sshd[1866]: reverse mapping checking getaddrinfo
> > for 23-194.213-56.static-ip.oleane.fr [213.56.194.23] failed -
> > POSSIBLE BREAK-IN ATTEMPT!
>
> I would add them to your hosts.deny file.
>
> If this is your own machine accessed from multiple places, knockd would be
> worth looking at using on the machine (I was just reading about it in the
> January 2010 issue of Linux Journal).
>
> I found having lots of people poking at a remote machine I administer that
> had sshd running. Since I only accessed the remote machine from my home
> computer (which has a static domain name but dynamic IP address), I set up
> hosts.allow to allow ssh from my static domain name but deny everyone else.
> It drastically cut down the sites reported in the daily summary of the
> system logs and they are all reported as "connection refused x times" where
> x is usually a single digit.
In such a scenario (limited user base, preferably just you), just moving SSH
to a nonstandard port will do the trick too. At one time i was being brute
forced from dozens of different IP's daily; moving SSH to port 443 (for easy
access through even draconian firewalls) eliminated the unwanted attention.
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list