On 11/8/05, Dan Abernathy
Hello all
I notice several automated break-in attempts appearing in /var/log/messages regarding sshd. A small sample:
Nov 7 14:34:10 d8400 sshd[18607]: Invalid user a from 71.129.198.189http://71.129.198.189 Nov 7 14:34:11 d8400 sshd[18609]: Invalid user aaron from 71.129.198.189 http://71.129.198.189
Hundreds of entries like the above, working their way through every English letter using common first names, also names of services like Apache.
It might be worth your while to take a look at using swatch (it is a PERL module) to defend against these attacks. An example of the config file might be: ------ # # Swatch configuration file for constant monitoring # # assume inside your.org http://your.org is OK ignore /10./ # Attempted root logins watchfor /Failed password for root/ echo bold exec "/usr/local/bin/block_ip $11`" mail address=sysadmin\@your.org,subject="Swatch message from GATEWAY: sshd bad root login" watchfor /Failed password for illegal user/ echo exec "/usr/local/bin/block_ip $13`" mail address=sysadmin\@your.org,subject="Swatch message from GATEWAY: ssh illegal user" ----- where the block_ip script is something like: ---- #!/bin/sh /usr/sbin/iptables -I INPUT -s `perl -e '$bad_ip=$ARGV[0];$bad_ip =~ s/::ffff://;print $bad_ip;' $1` -p tcp --dport 22 -j DROP ---- Mark