15 Feb
2009
15 Feb
'09
5:32 a.m.
On Sunday 15 February 2009 00:43:17 Fons Adriaensen wrote:
On Sat, Feb 14, 2009 at 11:55:13PM +0100, Julien
Claassen wrote:
I have a script that filters the log-files for "invalid user", extracts the IP
and adds it to the RECENT table (which is used for blocking for five minutes).
But some of these attackers have botnets which means a lot of IP's to be
blocked before they finished their username-list...
From my experience using key-logins only helps when you have only linux users.
Most windows people don't really understand the concepts of security, public
keys and such.
Arnold
8226 ? Ss 0:00 sshd: unknown [priv]
8227 ? S 0:00 sshd: unknown [net]
Just before that I only saw "sshd [accept]" and "sshd [net]".
Shutdown sshd and made new password and restarted sshd. Now it's the
same. Can I easily check where it's coming from and what it's doing. I
don't see anything besides those two lines. No other strange processes.
Someone is trying a ssh login - usually from the former
east block - and probably trying a list of user names
and passwords. Do (as root) tail -50 /var/log/secure
to see the show.
It happens here all the time. As long as you don't have
any easily guessed user/passwd combinations the danger
is limited, and closing your network connection for a
minute usually makes them go away. Configuring sshd to
allow only dsa authentication is better of course.