[Techtalk] 216 ssh login attempts, what to do?

Colleen Hatfield evilpig at gmail.com
Tue Oct 12 20:46:21 EST 2004

On Tue, 12 Oct 2004 21:17:32 -0400, aec <brat at magma.ca> wrote:
> Hey,
> Recently, someone has attempted to login to my debian woody
> server 216 times.
> Oct 12 03:50:55 lemonjelly sshd[5495]: Could not reverse map address
> Oct 12 03:50:55 lemonjelly sshd[5495]: User root not allowed because
> not listed in AllowUsers
> I have 3 people in AllowedUsers, and if you do not use that username
> and supply the right password, you dont get in. I am thinking that
> I should now limit the allowed users to specifc ip addresses also, to
> make it even harder, I would hope.
> This person is trying root, www-data, nobody, backup and many common
> nix-like system usernames.

Hi Angelina,

A lot of people (myself included) are seeing this - check out almost
any security mailing list and it's been discussed in the last month or
two.  It's automated scanning for common accounts and weak passwords
(rather than brute force or dictionary attacks on specific targets). 
As long as you have strong passwords on your accounts I wouldn't worry
about this in particular.  I can't help you with specifics on using
iptables to block the IPs dynamically, but there are a couple of other
options you might consider.  One would be to disable password-based
authentication and require authentication by public key instead. 
Alternately, you could run sshd on a non-standard port.  This is
"security by obscurity", but it is highly effective in keeping these
automated attacks from hitting your machine.  I haven't seen any of
this activity on my boxes that run sshd on ports other than 22.

- Colleen

More information about the Techtalk mailing list