[TriLUG] Failed logins

David McDowell turnpike420 at gmail.com
Fri Sep 2 14:42:10 EDT 2005


There are bad scripties all over the place doing this.  One single
night can have none, while another night might have 2 to 4000 attempts
from a single IP with oodles of different usernames attempted, both
legal and illegal usernames.  Best practice of disallowing root login
has already been mentioned.  Make sure you do any security updates put
out by your distro to keep things like ssh and openssl type programs
as updated as possible.

Most of the time when I whois these IPs, they are coming from Korea
and other Asian based countries.  I don't even bother... but if I
whois an IP and see it is US owned, I file complaints with both the
ISP owner and the user company if there is one (b/c it may not come
from a residential IP) to their abuse and security departments.  On
rare, occasions, I've actually had my messages personally replied to
(outside of the auto-reply from ISP abuse accounts) which stated they
had become aware of the attack and had shutdown that computer/port,
etc.

laters,
David McD


On 9/2/05, Lisa Boyd <leaseahb at gmail.com> wrote:
> I've been checking my Logwatch files and have noticed some failed
> logins for root listed under sshd. I assume someone is trying to break
> into my server, but is this something to seriously worry about?
> Considering my root password is not a dictionary word ;)
> 
> Thanks!
> Lisa B.
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
>



More information about the TriLUG mailing list