Re: intrusion via ssh
On Thu, 2005-03-31 at 12:55 +0200, Frederic Guillet wrote:
> Hi,
>
> i just checked my mail log on my server (that runs sarge with postfix)
> and got this kind of lines:
>
> MAR 30 20:01:33 servername sshd[17890] illegal user john from 24.15.134.130
>
> I have about 500 attemps with different usernames and the same IP so i
> guess it is a robot which is trying to enter my system.
>
> the pb with such log is that it does not say if the user has succeeded
> to enter the machine or if the attempt has failed.
>
> any config advice or tutorial are welcome.
check /var/log/auth.log
perhaps you would consider using knockd (a port knocking daemon) to
tighten security.
also you should disallow root login via ssh. (/etc/ssh/sshd_config)
-matt zagrabelny
Reply to: