Hello, Am Freitag, 4. Dezember 2015 schrieb Marco Calistri:
Dec 04 16:39:46 linux-turion64.ddns.net sshd[15289]: Invalid user admin from 178.136.234.6 Dec 04 12:59:06 linux-turion64.ddns.net sshd[12791]: Failed keyboard-interactive/pam for invalid user admin from 46.172.71.249 port 46183 ssh2
Hence I temporarily disabled sshd.
Somebody see something familiar and dangerous on these messages?
You'll get tons of those messages as soon as your SSH port is open to the public - there are some script kiddies, botnets, whatever out there that try to find accounts with common usernames [1] and weak passwords. In other words: that's normal ;-) Recommendations: - disallow password-based logins, allow only key-based logins - rate-limit SSH connections in the firewall (using ipt_recent or fail2ban) to reduce the number of attemps. For SuSEfirewall, you can use something like FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=300,recentname=ssh" (If you only allow key-based logins, that's mostly log cosmetics ;-) Regards, Christian Boltz [1] You'll get lots of attemps for users like admin or root, but I also remember cases where lots of names were tried, basically more given names than I ever heard of. So if you need some inspiration to find a name for your child, have a look at your SSH logs ;-)) -- Aber doch ... Woast Bub, ich denk bei sowas immer willkürlich an den Worst-case. Nämlich das das nicht ein Gscheidle wie du macht, sondern daß das irgendeiner hier oder in irgendeinem Forum aufschnappt. [David Haller in opensuse-de] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org