santner Posted September 25, 2004 Report Share Posted September 25, 2004 I have only had DSL for two weeks, and because I finally have DSL I have set up a web server, ftp server and sshd server. Well I finally got around to looking at some log files, specifically /var/log/auth.log and I found a 768k 282 page file filled with this crap: Sep 24 14:17:36 mandrake sshd(pam_unix)[6541]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.252.143.252 user=rootSep 24 14:17:38 mandrake sshd[6541]: Failed password for root from ::ffff:211.252.143.252 port 39071 ssh2 Sep 24 14:17:40 mandrake sshd(pam_unix)[6543]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.252.143.252 user=root Sep 24 14:17:42 mandrake sshd[6543]: Failed password for root from ::ffff:211.252.143.252 port 39166 ssh2 Sep 24 14:17:44 mandrake sshd(pam_unix)[6545]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.252.143.252 user=root Sep 24 14:17:47 mandrake sshd[6545]: Failed password for root from ::ffff:211.252.143.252 port 39257 ssh2 Sep 24 14:17:48 mandrake sshd(pam_unix)[6547]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.252.143.252 user=root As you can see there is a repeated pattern of sshd root login attempts about every two seconds. I don't think anyone has made it yet, but just the thought is ridiculous. Quote Link to comment Share on other sites More sharing options...
paul Posted September 25, 2004 Report Share Posted September 25, 2004 I'd be changing the port sshd runs on if I were you in /etc/sshd/sshd_config or in you're firewall portward (some other port) to 22 Quote Link to comment Share on other sites More sharing options...
DJ_Max Posted September 26, 2004 Report Share Posted September 26, 2004 This could be the common virus making root attempts. Regardless setup a APF & BFD. That way it'll ban the IP address. Quote Link to comment Share on other sites More sharing options...
papaschtroumpf Posted September 27, 2004 Report Share Posted September 27, 2004 This could be the common virus making root attempts. Regardless setup a APF & BFD. That way it'll ban the IP address. <{POST_SNAPBACK}> what's APF and BFD? There has been some kind of script out since late July that does the SSH scanning liike that. Changing the SSH port seems to take care of the problem. Quote Link to comment Share on other sites More sharing options...
n00i3 Posted December 19, 2004 Report Share Posted December 19, 2004 (edited) This could be the common virus making root attempts. Regardless setup a APF & BFD. That way it'll ban the IP address. <{POST_SNAPBACK}> what's APF and BFD? There has been some kind of script out since late July that does the SSH scanning liike that. Changing the SSH port seems to take care of the problem. <{POST_SNAPBACK}> arg i have the same problem should have read this thread first :P anyways, so i have a nice fat list of hosts and ips who were trying to root login ... anyone have any experience in reporting abuse? (I was looking throught the var/logs/messages file and this one fellow tried a bunch of usernames too don't think it's a virus :unsure: Edited December 19, 2004 by n00i3 Quote Link to comment Share on other sites More sharing options...
n00i3 Posted December 19, 2004 Report Share Posted December 19, 2004 (edited) I'd be changing the port sshd runs on if I were you in /etc/sshd/sshd_config or in you're firewall portward (some other port) to 22 for me it's /etc/ssh/sshd_config :P ... i know how to port forward to an ip but how would i portward? :unsure: Edited December 19, 2004 by n00i3 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.