[BUGS] Constant SSH login spam
jonathan michaels
jlm at caamora.com.au
Tue Feb 5 09:24:48 EST 2008
On Mon, Feb 04, 2008 at 07:51:06AM +1100, Andrew Reilly wrote:
> Hi Jerahmy,
>
> On Mon, 4 Feb 2008 03:53:16 +1100
> Jerahmy Pocott <quakenet1 at optusnet.com.au> wrote:
>
> > Is anyone else seeing massive amounts of SSH login attempts on their
> > servers?
>
> Yes, but no more than usual.
sort of same here .. though, now it seems like the main two are
teh 'router' and the secondary dns host .. not so sure about
teh mx host as it is v2.2.7 (it ssms to not have any complaints
about login failures .. as far as i can tell).
> > Is there some recent SSH vulnerability that I didn't hear
> > about? My firewall here is constantly blocking connections, around 200
> > or so per day.. Then on a server that actually allows remote ssh
> > connections I get security log files going into the megabytes listing
> > things like:
>
> Don't you have newsyslog.conf set to limit their size? My
> auth.log files roll over at 100k. The last one had 1200 Invalid
> user lines over four days, though. By comparison, I get twenty
> times as much spam as that.
>
> > Feb 3 03:31:57 beastie sshd[65656]: Invalid user a from 190.76.248.24
> > Feb 3 03:32:00 beastie sshd[65658]: Invalid user b from 190.76.248.24
> > Feb 3 03:32:02 beastie sshd[65660]: Invalid user c from 190.76.248.24
is it work blocking those ip adresses ? either the the one in
/var/log/auth.log or the one caught with /var/log/messages ??
i was wondering if there is any real difference (philosphies between
the. messages, auth.log) reasons for putting/capturing ... why
are there two ways of displaying data that to me seems to be
the same ??
regards
jonathan
--
================================================================
powered by ..
QNX, OS9 and freeBSD -- http://caamora com au/operating system
==== === appropriate solution in an inappropriate world === ====
More information about the BUGS
mailing list