[Tfug] Stopping repeated login attempts

brandon brandons.daemon at gmail.com
Thu Jan 28 11:39:02 MST 2010


So as a test.... today I moved sshd back to the default port. I have had my
home network setup nothing special just sshd on a different port. I did this
at ~6 am. I think put a tail in screen and checked periodically. Now ~5 hrs
later I am already being scanned. I have never had a scan on that box until
now. I am going to move it to 2222, 2022, 2202 later on and see how long it
takes before the scans start again. Then move it back to the port that I had
it on originally. Just curious to see what happens =) This IP also appears
to be from China.


2010-01-28T11:37:46.828973-07:00 myhostname sshd[29658]: reverse mapping
checking getaddrinfo for
17.193.178.61.dail.pl.gs.dynamic.163data.com.cn[61.178.193.17] failed
- POSSIBLE BREAK-IN ATTEMPT!
2010-01-28T11:37:46.829450-07:00 myhostname sshd[29658]: Invalid user ram
from 61.178.193.17
2010-01-28T11:37:46.830977-07:00 myhostname sshd[29658]:
pam_unix(sshd:auth): check pass; user unknown
2010-01-28T11:37:46.831265-07:00 myhostname sshd[29658]:
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=61.178.193.17
2010-01-28T11:37:47.266641-07:00 myhostname sshd[29660]: reverse mapping
checking getaddrinfo for
17.193.178.61.dail.pl.gs.dynamic.163data.com.cn[61.178.193.17] failed
- POSSIBLE BREAK-IN ATTEMPT!
2010-01-28T11:37:47.267057-07:00 myhostname sshd[29660]: Invalid user
admin123 from 61.178.193.17
2010-01-28T11:37:47.268578-07:00 myhostname sshd[29660]:
pam_unix(sshd:auth): check pass; user unknown
2010-01-28T11:37:47.268921-07:00 myhostname sshd[29660]:
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=61.178.193.17
2010-01-28T11:37:47.731386-07:00 myhostname sshd[29656]: Failed password for
invalid user admin from 61.178.193.17 port 50396 ssh2
2010-01-28T11:37:48.370901-07:00 myhostname sshd[29658]: Failed password for
invalid user ram from 61.178.193.17 port 51090 ssh2
2010-01-28T11:37:49.280163-07:00 myhostname sshd[29660]: Failed password for
invalid user admin123 from 61.178.193.17 port 51418 ssh2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://tfug.org/pipermail/tfug_tfug.org/attachments/20100128/1fded464/attachment-0002.html>


More information about the tfug mailing list