On defense of the sshd crackers
[The is a security configuration question. Let me try it here to see if I
can some valuable inputs before heading to newsgroup]
Hi,
I used to turn on my sshd just in case that I need to ssh back into my
box. But recently, I noticed that whenever I turn it on, almost instantly,
there will be a cracker attempting cracking into my sshd:
$ tail -15 /var/log/auth.log
Oct 6 10:52:05 cxmr sshd[7374]: Invalid user deutch from 220.229.57.152
Oct 6 10:52:05 cxmr sshd[7374]: Address 220.229.57.152 maps to adsl-220-229-57-152.kh.sparqnet.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Oct 6 10:52:05 cxmr sshd[7374]: (pam_unix) check pass; user unknown
Oct 6 10:52:05 cxmr sshd[7374]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.229.57.152
Oct 6 10:52:07 cxmr sshd[7374]: Failed password for invalid user deutch from 220.229.57.152 port 46369 ssh2
Oct 6 10:52:10 cxmr sshd[7379]: Invalid user german from 220.229.57.152
Oct 6 10:52:10 cxmr sshd[7379]: Address 220.229.57.152 maps to adsl-220-229-57-152.kh.sparqnet.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Oct 6 10:52:10 cxmr sshd[7379]: (pam_unix) check pass; user unknown
Oct 6 10:52:10 cxmr sshd[7379]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.229.57.152
Oct 6 10:52:12 cxmr sshd[7379]: Failed password for invalid user german from 220.229.57.152 port 46536 ssh2
Oct 6 10:52:20 cxmr sshd[7384]: Invalid user hitler from 220.229.57.152
Oct 6 10:52:20 cxmr sshd[7384]: Address 220.229.57.152 maps to adsl-220-229-57-152.kh.sparqnet.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Oct 6 10:52:20 cxmr sshd[7384]: (pam_unix) check pass; user unknown
Oct 6 10:52:20 cxmr sshd[7384]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.229.57.152
Oct 6 10:52:22 cxmr sshd[7384]: Failed password for invalid user hitler from 220.229.57.152 port 46858 ssh2
What's your recommendation to such situation?
PS.
1. I used to track down their ISP and complain about the cracking attempts,
but nobody seems to be listening to me, and there has never been any
responses.
2. I think the (default Debian) sshd configuration should be changed. Even
when someone attempts cracking by typing in user names and passwords
manually in front of tty will be penalized. But I've notice my sshd joyfully
allows thousands of cracking attempts within minutes. This is rather silly,
or incompetent.
Please comment.
thanks
--
Tong (remove underscore(s) to reply)
http://xpt.sourceforge.net/techdocs/
http://xpt.sourceforge.net/tools/
Reply to: