Subject: RE: How to display IP of ssh user in message?
> From: Ryan Golhar <golharam@xxxxxxxxx> > Date: Tue, 03 May 2005 16:27:23 -0400
>
In-reply-to: <462170B0EBFCFE4AB1E54ED8C269A5BC011837D9@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Reply-To: golharam@xxxxxxxxx, General Red Hat Linux discussion list
<redhat-list@xxxxxxxxxx> Message-ID: <004e01c5501e$83632140$9900a8c0@GOLHARMOBILE1> MIME-Version: 1.0
We get attacks nightly. Last night, there were 500+ attempts logins to root through ssh. All from the same IP address.
The warning banner doesn't do much good...I could call theplanet.com but then I'd be calling different ISP's almost daily because of the attacks.
Actually, I don't believe it's from theplanet.com. <snip>
sshd: Invalid Users: Unknown Account: 602 Time(s) Authentication Failures: xfs (138.67-18-71.reverse.theplanet.com ): 1 Time(s) root (nitrogen.umdnj.edu ): 1 Time(s) root (138.67-18-71.reverse.theplanet.com ): 1 Time(s) unknown (138.67-18-71.reverse.theplanet.com ): 595 Time(s) unknown (218.153.147.92 ): 6 Time(s) daemon (138.67-18-71.reverse.theplanet.com ): 1 Time(s) root (218.153.147.92 ): 3 Time(s) rpc (138.67-18-71.reverse.theplanet.com ): 1 Time(s) unknown (10.136.16.244 ): 1 Time(s) smmsp (138.67-18-71.reverse.theplanet.com ): 1 Time(s)
The numbers look like an IP, and I did a whois both forward (138.67.18.71) and (71.18.67.138), and both are the Colorado School of Mines. I suspect a student or ex-student.
mark
-- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
