from /var/log/messages I see msgs like sshd[31200]: Illegal user agata sshd[31202]: Illegal user alejandro sshd[31204]: Illegal user alice sshd[31206]: Illegal user alka All from the same IP address in South Korea. What should I do? -- NSK http://portal.wikinerds.org
Hello, Am Samstag, 30. April 2005 12:17 schrieb NSK:
from /var/log/messages I see msgs like
sshd[31200]: Illegal user agata sshd[31202]: Illegal user alejandro sshd[31204]: Illegal user alice sshd[31206]: Illegal user alka
All from the same IP address in South Korea.
There are some scriptkiddies out there who try to get access via ssh. There was a thread in this list some time ago about this ("SSH attacks.", at the beginning of february) where somebody mentioned a script to block an IP after some "Illegal user" messages.
What should I do?
In general, you can ignore the messages if you have good passwords ;-) To be really sure, change SSH login to pubkey only. Regards, Christian Boltz -- ...von den vier Mitgliedern der "Nimbus Monospaced(!)"-Familie ist angeblich nur die Regular Monospaced - die anderen sind... nun ja... proportional, nur eben alle gleich proportional. =%-) [Ratti in fontlinge-devel nach Auslesen der "monospaced"-Infos]
NSK wrote:
from /var/log/messages I see msgs like
sshd[31200]: Illegal user agata sshd[31202]: Illegal user alejandro sshd[31204]: Illegal user alice sshd[31206]: Illegal user alka
All from the same IP address in South Korea.
What should I do?
Peoñle trying to enter in your system with this user. This week, in a customer, I have a lot of bad password for user root, and after three or four days, the got the password and enter, trying and trying.!!! But in my case, was only a amateur, only change the password for root, and the logins was only for 1 minute!
The Saturday 2005-04-30 at 09:41 -0400, Hipolito A. Gonzalez M. wrote:
This week, in a customer, I have a lot of bad password for user root, and after three or four days, the got the password and enter, trying and trying.!!! But in my case, was only a amateur, only change the password for root, and the logins was only for 1 minute!
That could be enough, he could have installed a back door in that time. Root should not be allowed to login remotely. If they know a user name, it's just a question of launching a dictionary attack till they find the password. In time, they get it. -- Cheers, Carlos Robinson
Hi,
All from the same IP address in South Korea. What should I do?
Change the port of sshd. Putty and ssh accept arbitrary ports, so if you change to port 55522 (for example) you can still use it. This helps against exploits also a little bit, as most portscans concentrate on well-known services. These kids only check port 22, but for weeks :-(, trying my systems month ago. Ciao, Dieter
Generally you can ignore these. If you're using iptables, you can use
swatch to add DROP entries to your INPUT chain -- this was discussed a
while back on this list. Or, you could look into using tcpwrappers with
sshd. A way to improve security is to not allow root logins through ssh.
To obtain root access, you'd login with your normal account and "sudo su
-". To change this default behavior to be more secure, edit
/etc/ssh/sshd_config and change:
#PermitRootLogin yes
to
PermitRootLogin no
Cheers,
rayc
NSK
participants (6)
-
Carlos E. R.
-
Christian Boltz
-
Dieter Kirchner
-
Hipolito A. Gonzalez M.
-
NSK
-
R.Cielencki@neu.edu