Re: On defense of the sshd crackers

To: debian-user@lists.debian.org
Subject: Re: On defense of the sshd crackers
From: "Sergio Cuéllar Valdés" <herrsergio@gmail.com>
Date: Tue, 9 Oct 2007 09:33:24 -0500
Message-id: <[🔎] 7663371b0710090733s746814f0xdace94197be09672@mail.gmail.com>
In-reply-to: <[🔎] feg2jk$kv3$1@sea.gmane.org>
References: <[🔎] feg2jk$kv3$1@sea.gmane.org>

2007/10/9, T o n g <mlist4suntong@yahoo.com>:
> [The is a security configuration question. Let me try it here to see if I
> can some valuable inputs before heading to newsgroup]
>
> Hi,
>
> I used to turn on my sshd just in case that I need to ssh back into my
> box. But recently, I noticed that whenever I turn it on, almost instantly,
> there will be a cracker attempting cracking into my sshd:
>
>  $ tail -15 /var/log/auth.log
>  Oct  6 10:52:05 cxmr sshd[7374]: Invalid user deutch from 220.229.57.152
>  Oct  6 10:52:05 cxmr sshd[7374]: Address 220.229.57.152 maps to adsl-220-229-57-152.kh.sparqnet.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
>  Oct  6 10:52:05 cxmr sshd[7374]: (pam_unix) check pass; user unknown
>  Oct  6 10:52:05 cxmr sshd[7374]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.229.57.152
>  Oct  6 10:52:07 cxmr sshd[7374]: Failed password for invalid user deutch from 220.229.57.152 port 46369 ssh2
>  Oct  6 10:52:10 cxmr sshd[7379]: Invalid user german from 220.229.57.152
>  Oct  6 10:52:10 cxmr sshd[7379]: Address 220.229.57.152 maps to adsl-220-229-57-152.kh.sparqnet.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
>  Oct  6 10:52:10 cxmr sshd[7379]: (pam_unix) check pass; user unknown
>  Oct  6 10:52:10 cxmr sshd[7379]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.229.57.152
>  Oct  6 10:52:12 cxmr sshd[7379]: Failed password for invalid user german from 220.229.57.152 port 46536 ssh2
>  Oct  6 10:52:20 cxmr sshd[7384]: Invalid user hitler from 220.229.57.152
>  Oct  6 10:52:20 cxmr sshd[7384]: Address 220.229.57.152 maps to adsl-220-229-57-152.kh.sparqnet.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
>  Oct  6 10:52:20 cxmr sshd[7384]: (pam_unix) check pass; user unknown
>  Oct  6 10:52:20 cxmr sshd[7384]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.229.57.152
>  Oct  6 10:52:22 cxmr sshd[7384]: Failed password for invalid user hitler from 220.229.57.152 port 46858 ssh2
>
> What's your recommendation to such situation?
>
> PS.
>
> 1. I used to track down their ISP and complain about the cracking attempts,
> but nobody seems to be listening to me, and there has never been any
> responses.
>
> 2. I think the (default Debian) sshd configuration should be changed. Even
> when someone attempts cracking by typing in user names and passwords
> manually in front of tty will be penalized. But I've notice my sshd joyfully
> allows thousands of cracking attempts within minutes. This is rather silly,
> or incompetent.
>
> Please comment.
>
> thanks


Hello,

you can install denyhosts:

$ apt-cache search denyhosts
denyhosts - an utility to help sys admins thwart ssh hackers

or you can change the default ssh port.

Best regards,
Sergio Cuellar

Reply to:

References:
- On defense of the sshd crackers
  - From: T o n g <mlist4suntong@yahoo.com>

Prev by Date: Re: On defense of the sshd crackers
Next by Date: Re: On defense of the sshd crackers
Previous by thread: Re: On defense of the sshd crackers
Next by thread: Re: On defense of the sshd crackers
Index(es):
- Date
- Thread