[SATLUG] /var/log/secure: ssh attack
Leo E. Midha
leoem at satx.rr.com
Fri Sep 3 19:33:34 CDT 2004
Like the log says, don't panic. This are common probes. I wouldn't worry
about it unless you say a successful login. If you still feel not secure,
then I would suggest you look at setting up an iptables firewall ruleset
which was "stealth" these kinds of ports.
NetrixTardis
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GAT d--- s:- a-- C+++ UL P+ L++ E---- W+++ N o- K--- w
O+ M V PS+ PE++ Y+ PGP t++ 5++ X+ R* tv++ b+ DI+ D+
G e h--- r+++ y+++
------END GEEK CODE BLOCK------
-----Original Message-----
From: satlug-bounces at satlug.org [mailto:satlug-bounces at satlug.org] On Behalf
Of Luis
Sent: Friday, September 03, 2004 6:24 PM
To: The San Antonio Linux User's Group Mailing List
Subject: [SATLUG] /var/log/secure: ssh attack
It appears that some one has found out that I have been using linux.
In my /var/log/secure, I have found:
Failed password for illegal user admin from 202.114.88.96 port 36122 ssh2
sshd[2479]: Failed password for illegal user test from 212.234.101.249
port 53231 ssh2
sshd[2573]: scanned from 66.15.86.156 with SSH-1.0-SSH_Version_Mapper.
Don't panic.
I have put them in my /etc/hosts.deny.
cut -d: -f1 /etc/passwd | while read a
> do
> passwd -S $a
> done
I did a nslookup on the IP address and a whois on the name server.
I emailed the admin to let them know about the abuse fromtheir user.
In the old days they used to knock off users for that.
Any other suggestions?
_______________________________________________
Satlug mailing list
Satlug at satlug.org
http://alamo.satlug.org/mailman/listinfo/satlug
More information about the Satlug
mailing list