On Sun, 2005-08-21 at 21:09, Jeffrey Means wrote: > One other method I have sucessfully used / am using is to change the port number > of the service being attacked. If we are talking about ssh this can be done in > the /etc/ssh/sshd_config file by changing / adding a Port xxxx line to the file. > > I hope this helps you it has drastically decreased the number of people trying > to break down my front door. > --Jeff Means > MeansPC - Custom Web Development for your needs. > > CentOS mailing list <centos@xxxxxxxxxx> wrote: > > On Sun, 2005-08-21 at 17:03 -0500, Jerry Geis wrote: > > > I have quite a few entries in /var/log/messages for connection attempts. > > > Is there anything other > > > than ignoring them I can do? Example is below. > > > > > > > There are a number of scripts (some Perl, some Python) out there to > > monitor the log and add an entry in hosts.deny to block any further > > attempts from the offending IP when too many failed password attempts > > are noted. You can find them with some "googling". > > > > I am using a modified one to stop these breakin attempts on my servers. > > > > > Aug 21 15:48:19 machine sshd(pam_unix)[17903]: check pass; user unknown > > > Aug 21 15:48:19 machine sshd(pam_unix)[17903]: authentication failure; > > > logname= uid=0 euid=0 tty=ssh ruser= > > > rhost=wsip-24-234-149-156.lv.lv.cox.net > > It is good to know that this type of attack against ssh is generally automated. Most likely run by script kiddies looking for a system with poor passwords or default passwords on that service. If you take the actions others have already posted you should be in good shape. Just make sure you use non-trivial passwords, limit which users are allowed to login into ssh, and if you want to eliminate this type of traffic in your log files use a different port. It is important to realize that changing the port number is not a security measure. Any good hacker will scan your system and find it. But it does prevent these automated scripts from finding your system for the most part.