Gentoo Archives: gentoo-user

From: Eric Martin <freak4uxxx@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Usernames in ssh attacks
Date: Fri, 20 Mar 2009 12:25:47
Message-Id: 49C38B3D.5050507@gmail.com
In Reply to: Re: [gentoo-user] Usernames in ssh attacks by Paul Hartman
1 Paul Hartman wrote:
2 > On Thu, Mar 19, 2009 at 10:36 AM, Johan Blåbäck
3 > <johan.bluecreek@×××××.com> wrote:
4 >> I've always had usernames when it comes to sshd's log entries in
5 >> auth.log, like the following:
6 >>
7 >> <time> <hostname> sshd[5926]: error: PAM: Authentication failure for
8 >> <username> from <ip-adress>
9 >
10 > Well, I don't use PAM, just key-based authentication only, so I always
11 > see only the IP getting rejected since it doesn't even give them a
12 > place to try a user/password :) It's just weird that it is refusing a
13 > connection from user@domain rather than simply the IP. I guess they
14 > could be trying to ssh user@××××××.net or something. The one with
15 > [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=] as the username is
16 > interesting. I wonder what that's all about.
17 >
18
19 I too use only PubKey but they need to send a username so ssh knows
20 where to look for the public key. Your two options boil down to
21
22 1) install fail2ban (I installed it on all of my external ssh boxes and
23 I love it)
24 2) change the ssh port to something other than 22 (Security by Obscurity
25 but it frees up your logs so you can see real problems).
26
27 The two may me mutually exclusive as I'm not sure if you can tweak
28 fail2ban's ssh rules to monitor another port.
29
30 I just chock it up as log spam unless I see definite bad patterns. But
31 again, with public key access only and banning root from logging in via
32 ssh I don't think anybody is getting far unless there is a flaw in ssh.
33
34 --
35 Eric Martin
36 Key fingerprint = D1C4 086E DBB5 C18E 6FDA B215 6A25 7174 A941 3B9F

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-user] Usernames in ssh attacks Paul Hartman <paul.hartman+gentoo@×××××.com>