On Sat, 2005-01-08 at 22:38 +0000, Paul wrote: [snip] > There are few things in my logs which are suspicious... > > First are a couple like this > > Jan 1 22:18:35 T7 sshd[31409]: Invalid user test > from ::ffff:70.56.41.21 > Jan 1 22:18:36 T7 sshd[31409]: Address 70.56.41.21 maps to prox.wares- > consulting.com, but this does not map back to the address - POSSIBLE > BREAKIN ATTEMPT! > > I seem to be subjected to a dictionary attack. It's been going on for several months now. Must be some kind of worm out there, but it's harmless provided you take some precautions. > Should I be overly worried? I've closed ssh on my router, so that's one > line of defence in the way :-) > And that probably covers it all. If you need ssh enabled on an internet connected host, I would recommend at least one, maybe all of the following: 1) Allow rsa key logins only. 2) Restrict by IP address, if possible. 3) Restrict by username if possible. 4) Run sshd on a port other than 22. 5) Use port knocking if you are really paranoid. (Though that hasn't had enough field testing to trust it as the only security measure, for sure.) -- -Paul Iadonisi Senior System Administrator Red Hat Certified Engineer / Local Linux Lobbyist Ever see a penguin fly? -- Try Linux. GPL all the way: Sell services, don't lease secrets