Jerry Geis wrote:
> I have quite a few entries in /var/log/messages for connection
> attempts. Is there anything other
> than ignoring them I can do? Example is below.
>
> Aug 21 15:48:19 machine sshd(pam_unix)[17903]: check pass; user unknown
> Aug 21 15:48:19 machine sshd(pam_unix)[17903]: authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser=
> rhost=wsip-24-234-149-156.lv.lv.cox.net
>
Heh. Welcome to the club. If you've got a well connected machine, and
it's listening on any ports, you'll get these. I sometimes get 100-200k
logwatch reports and it's all idiots trying to run dictionary attacks
against ssh. It comes in waves. Some days I don't get any.
All you can really do is filter the naughty IP addresses, but that
doesn't really do a whole lot of good since they rarely come from the
same place twice. Back in the days when this was so common, I'd make an
effort to find the netblock owner and warn them that one of their
machines had been compromised, but that's not even worth the effort
anymore. A lot of times, it's from some big ISP who just drops those
complaints on the floor...especially if it's in the far east.
Cheers,
