Am Samstag 22 November 2008 11:26:49 schrieb Herbert Graeber:
Am Samstag 22 November 2008 07:52:31 schrieb David C. Rankin:
Listmates,
The work server seemed sluggish over the net tonight, so I checked the logs and they are filled with the little whackos running dictionary attacks against my server. But it looks like they have upgraded their scripts to make them come from different IPs.
What is that automated Block??? package that updates your hosts.deny file if you have x attempts in y minutes from an IP?
My logs are looking like this:
Nov 22 00:30:55 bonza sshd[31392]: Invalid user claudine from 61.4.210.33 Nov 22 00:30:55 bonza sshd[31392]: error: PAM: User not known to the underlying authentication module for illegal user claudine from 61.4.210.33 Nov 22 00:30:55 bonza sshd[31392]: Failed keyboard-interactive/pam for invalid user claudine from 61.4.210.33 port 22 ssh2 Nov 22 00:32:00 bonza sshd[31402]: Invalid user clemence from 192.25.133.82 Nov 22 00:32:01 bonza sshd[31402]: error: PAM: User not known to the underlying authentication module for illegal user clemence from at1.ftc.agilent.com Nov 22 00:32:01 bonza sshd[31402]: Failed keyboard-interactive/pam for invalid user clemence from 192.25.133.82 port 49704 ssh2 Nov 22 00:33:01 bonza sshd[31410]: Invalid user clemence from 193.224.241.4 Nov 22 00:33:01 bonza sshd[31410]: error: PAM: User not known to the underlying authentication module for illegal user clemence from 193.224.241.4 Nov 22 00:33:01 bonza sshd[31410]: Failed keyboard-interactive/pam for invalid user clemence from 193.224.241.4 port 42807 ssh2 Nov 22 00:34:12 bonza sshd[31436]: refused connect from 200.193.32.145 (200.193.32.145) Nov 22 00:35:22 bonza sshd[31443]: Invalid user clemence from 80.59.254.120 Nov 22 00:35:22 bonza sshd[31443]: error: PAM: User not known to the underlying authentication module for illegal user clemence from 120.red-80-59-254.staticip.rima-tde.net Nov 22 00:35:22 bonza sshd[31443]: Failed keyboard-interactive/pam for invalid user clemence from 80.59.254.120 port 34207 ssh2 Nov 22 00:36:20 bonza sshd[31453]: Invalid user clemence from 166.111.68.183 Nov 22 00:36:21 bonza sshd[31453]: error: PAM: User not known to the underlying authentication module for illegal user clemence from hpclab.cs.tsinghua.edu.cn Nov 22 00:36:21 bonza sshd[31453]: Failed keyboard-interactive/pam for invalid user clemence from 166.111.68.183 port 59241 ssh2 Nov 22 00:37:25 bonza sshd[31463]: refused connect from 123.14.10.64 (123.14.10.64) Nov 22 00:38:23 bonza sshd[31469]: refused connect from 201.253.105.21 (201.253.105.21) Nov 22 00:39:33 bonza sshd[31478]: refused connect from 83.222.222.201 (83.222.222.201) Nov 22 00:40:01 bonza /usr/sbin/cron[31484]: (assistance) CMD (/usr/local/bin/Learn_as_spam_cron) Nov 22 00:40:29 bonza sshd[31495]: Invalid user clemence from 59.125.200.51 Nov 22 00:40:29 bonza sshd[31495]: error: PAM: User not known to the underlying authentication module for illegal user clemence from 3w.upcc.com.tw Nov 22 00:40:29 bonza sshd[31495]: Failed keyboard-interactive/pam for invalid user clemence from 59.125.200.51 port 16790 ssh2 Nov 22 00:41:33 bonza sshd[31504]: Invalid user clemence from 81.83.10.149 Nov 22 00:41:33 bonza sshd[31504]: error: PAM: User not known to the underlying authentication module for illegal user clemence from d51530a95.access.telenet.be Nov 22 00:41:33 bonza sshd[31504]: Failed keyboard-interactive/pam for invalid user clemence from 81.83.10.149 port 55062 ssh2 Nov 22 00:42:36 bonza sshd[31514]: refused connect from 200.141.223.99 (200.141.223.99) Nov 22 00:43:48 bonza sshd[31521]: Invalid user colette from 85.207.120.188 Nov 22 00:43:48 bonza sshd[31521]: error: PAM: User not known to the underlying authentication module for illegal user colette from 188-120-207-85.vychcechy.adsl-llu.static.bluetone.cz Nov 22 00:43:48 bonza sshd[31521]: Failed keyboard-interactive/pam for invalid user colette from 85.207.120.188 port 45490 ssh2 Nov 22 00:44:45 bonza sshd[31530]: refused connect from 82.207.104.34 (82.207.104.34) Nov 22 00:45:48 bonza sshd[31576]: refused connect from 83.18.247.69 (83.18.247.69) Nov 22 00:46:59 bonza sshd[31587]: refused connect from 201.6.120.211 (201.6.120.211) Nov 22 00:48:04 bonza sshd[31600]: refused connect from 200.58.171.134 (200.58.171.134)
Sorry for the missing answer... Try denyhosts. SImilar to the kiddies making a distributed attack using multiple ip addresses, denyhosts collects these adresses on a server, to make them available to all denyhost users for a distributed defence. Herbert -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org