[WBEL-users] SSH Hack/Login attempts

Van Loggins vloggins@turbocorp.com
Mon, 9 Aug 2004 08:00:20 -0400 

Same here,

I have been using this to block them via iptables

iptables -A INPUT -s <ip address to be blocked> -j DROP

the system in question is a fedora core 1 box that has been
set up to allow ssh connections in on 3 accounts (but no X11
sessions), but each
of these accounts has a totally different passwords than
their internal network password, and to gain access to our
internal network they have to use ssh to get into the
internal network.

this system has portsentry set up and has been configured to
ignore any incoming port activity except for SSH

I've been monitoring the logwatch emails I get from this
system as well as the system check emails that portsentry is
set up to send and use the info to manually drop the
addresses with the above command.

I wish I could configure portsentry to automatically block
any ip addresses that attempts to connect multiple times
with bogus user names or invalid passwords like these have
been.

The trick would be to set it not to be too sensitive just in
case a valid user accidentally mistypes their password once
or twice when logging into the system.





On Sun, 08 Aug 2004 12:00:01 -0500
whitebox-users-request@beau.org wrote:

> 
> Message: 2
> Subject: Re: [WBEL-users] SSH Hack/Login attempts
> From: Sudev Barar <sudev@mantraonline.com>
> To: whitebox-users@beau.org
> Date: Sun, 08 Aug 2004 20:22:46 +0530
> 
> On Sun, 2004-08-08 at 19:09, Jeff Maze wrote:
> > from attempting to be logged into via SSH.  Lately, over
> > the last week or so, I've seen a lot of login attempts
> > via test, admin, and guest accounts.
> If you look at the origin of all these attempts the whois
> info points mostly at some IP's registered in South Korea.
> Have also seen many attempts in the last two weeks on
> guest / test-- 
> Sudev Barar
> Learning Linux


-- 
Van Loggins        vloggins@turbocorp.com
Assistant System Administrator - ESC Dept
      _
     -o)
     /\\
    _\_v
Linux User #316727
678-989-3052
Turbo Logistics
http://www.turbocorp.com