[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

On defense of the sshd crackers



[The is a security configuration question. Let me try it here to see if I
can some valuable inputs before heading to newsgroup]

Hi,

I used to turn on my sshd just in case that I need to ssh back into my
box. But recently, I noticed that whenever I turn it on, almost instantly,
there will be a cracker attempting cracking into my sshd:

 $ tail -15 /var/log/auth.log
 Oct  6 10:52:05 cxmr sshd[7374]: Invalid user deutch from 220.229.57.152
 Oct  6 10:52:05 cxmr sshd[7374]: Address 220.229.57.152 maps to adsl-220-229-57-152.kh.sparqnet.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
 Oct  6 10:52:05 cxmr sshd[7374]: (pam_unix) check pass; user unknown
 Oct  6 10:52:05 cxmr sshd[7374]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.229.57.152 
 Oct  6 10:52:07 cxmr sshd[7374]: Failed password for invalid user deutch from 220.229.57.152 port 46369 ssh2
 Oct  6 10:52:10 cxmr sshd[7379]: Invalid user german from 220.229.57.152
 Oct  6 10:52:10 cxmr sshd[7379]: Address 220.229.57.152 maps to adsl-220-229-57-152.kh.sparqnet.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
 Oct  6 10:52:10 cxmr sshd[7379]: (pam_unix) check pass; user unknown
 Oct  6 10:52:10 cxmr sshd[7379]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.229.57.152 
 Oct  6 10:52:12 cxmr sshd[7379]: Failed password for invalid user german from 220.229.57.152 port 46536 ssh2
 Oct  6 10:52:20 cxmr sshd[7384]: Invalid user hitler from 220.229.57.152
 Oct  6 10:52:20 cxmr sshd[7384]: Address 220.229.57.152 maps to adsl-220-229-57-152.kh.sparqnet.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
 Oct  6 10:52:20 cxmr sshd[7384]: (pam_unix) check pass; user unknown
 Oct  6 10:52:20 cxmr sshd[7384]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.229.57.152 
 Oct  6 10:52:22 cxmr sshd[7384]: Failed password for invalid user hitler from 220.229.57.152 port 46858 ssh2

What's your recommendation to such situation? 

PS.

1. I used to track down their ISP and complain about the cracking attempts,
but nobody seems to be listening to me, and there has never been any
responses.

2. I think the (default Debian) sshd configuration should be changed. Even
when someone attempts cracking by typing in user names and passwords
manually in front of tty will be penalized. But I've notice my sshd joyfully
allows thousands of cracking attempts within minutes. This is rather silly,
or incompetent.

Please comment.

thanks


-- 
Tong (remove underscore(s) to reply)
  http://xpt.sourceforge.net/techdocs/
  http://xpt.sourceforge.net/tools/



Reply to: