On Sat, 8 Jan 2005, Paul Iadonisi wrote: > On Sat, 2005-01-08 at 22:38 +0000, Paul wrote: > > [snip] > > > There are few things in my logs which are suspicious... > > > > First are a couple like this > > > > Jan 1 22:18:35 T7 sshd[31409]: Invalid user test > > from ::ffff:70.56.41.21 > > Jan 1 22:18:36 T7 sshd[31409]: Address 70.56.41.21 maps to prox.wares- > > consulting.com, but this does not map back to the address - POSSIBLE > > BREAKIN ATTEMPT! > > > > I seem to be subjected to a dictionary attack. > > It's been going on for several months now. Must be some kind of worm > out there, but it's harmless provided you take some precautions. > > > Should I be overly worried? I've closed ssh on my router, so that's one > > line of defence in the way :-) > > > > And that probably covers it all. If you need ssh enabled on an > internet connected host, I would recommend at least one, maybe all of > the following: > > 1) Allow rsa key logins only. > 2) Restrict by IP address, if possible. > 3) Restrict by username if possible. > 4) Run sshd on a port other than 22. > 5) Use port knocking if you are really paranoid. (Though that hasn't > had enough field testing to trust it as the only security measure, > for sure.) Another thing you might want to look into is the ipt_recent module for iptables. I just crafted a couple of rules for fwbuilder that allow iptables to watch for multiple connection attempts from the same address within minute. I have it set so that if the same ip address tries to connect more than 2 times in a minute, subsequent connections attempts from that ip address are simply dropped by iptables. After 60 seconds connections from the offending ip are restored, at least until they exceed the threshold again. That at least limits how many attempts the bad guys can make. If it is just someone that screwed up their username or passwd it does not lock them out permanently. Regards, Tom Diehl tdiehl@xxxxxxxxxxxx Spamtrap address mtd123@xxxxxxxxxxxx