On 03/03/2021 23.24, Per Jessen wrote:
Carlos E. R. wrote:
On 03/03/2021 20.24, Per Jessen wrote:
Lew Wolfgang wrote:
Well, that you have any entries at all from sshd means that something is poking at the port it's listening on, right?
I would say so.
I just checked and I've got 942 entries like the following in the past four days, most from different IP's.
Oh yeah, the threat is certainly real. In February, our external (rented) servers had about 4-5000 such attempts, each. All configured for public key only, even so listening on a high port. Always with big time gaps, 5-10-15 minutes - true brute force was yesteryear.
44'244 attempts over twelve specific servers, 14'963 unique ipv4 addresses from 141 countries.
What do you use to analyze that? Ie, how do you know?
The plain old logfile - /var/log/messages. sshd will log failed login attempts. To analyze it, I grep through the files, then load the data into a database, makes it easier to query.
Ah, ok, you load a database. Ok. My job at Lucent involved a lot of analyzing logs, we had specific tools to do it, but often I used grep. In fact, Lucent had their own specific version of grep, called cgrep (there is(was?) a packaged version of it on home:rbos) that made much easier to analyze their reports. A tool that would collect the failed connection attempts, then would automatically search for those IPs in the logs, would be nice. Cross referencing. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)