On Sunday 15 February 2009 00:43:17 Fons Adriaensen wrote:
> On Sat, Feb 14, 2009 at 11:55:13PM +0100, Julien Claassen wrote:
> > 8226 ? Ss 0:00 sshd: unknown [priv]
> > 8227 ? S 0:00 sshd: unknown [net]
> >
> > Just before that I only saw "sshd [accept]" and "sshd [net]".
> > Shutdown sshd and made new password and restarted sshd. Now it's the
> > same. Can I easily check where it's coming from and what it's doing. I
> > don't see anything besides those two lines. No other strange processes.
> Someone is trying a ssh login - usually from the former
> east block - and probably trying a list of user names
> and passwords. Do (as root) tail -50 /var/log/secure
> to see the show.
> It happens here all the time. As long as you don't have
> any easily guessed user/passwd combinations the danger
> is limited, and closing your network connection for a
> minute usually makes them go away. Configuring sshd to
> allow only dsa authentication is better of course.
I have a script that filters the log-files for "invalid user", extracts the IP
and adds it to the RECENT table (which is used for blocking for five minutes).
But some of these attackers have botnets which means a lot of IP's to be
blocked before they finished their username-list...
From my experience using key-logins only helps when you have only linux users.
Most windows people don't really understand the concepts of security, public
keys and such.
Arnold
_______________________________________________
Linux-audio-dev mailing list
Linux-audio-dev@email-addr-hidden
http://lists.linuxaudio.org/mailman/listinfo/linux-audio-dev
This archive was generated by hypermail 2.1.8 : Sun Feb 15 2009 - 12:15:02 EET