1 |
Paul Hartman wrote: |
2 |
> On Thu, Mar 19, 2009 at 10:36 AM, Johan Blåbäck |
3 |
> <johan.bluecreek@×××××.com> wrote: |
4 |
>> I've always had usernames when it comes to sshd's log entries in |
5 |
>> auth.log, like the following: |
6 |
>> |
7 |
>> <time> <hostname> sshd[5926]: error: PAM: Authentication failure for |
8 |
>> <username> from <ip-adress> |
9 |
> |
10 |
> Well, I don't use PAM, just key-based authentication only, so I always |
11 |
> see only the IP getting rejected since it doesn't even give them a |
12 |
> place to try a user/password :) It's just weird that it is refusing a |
13 |
> connection from user@domain rather than simply the IP. I guess they |
14 |
> could be trying to ssh user@××××××.net or something. The one with |
15 |
> [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=] as the username is |
16 |
> interesting. I wonder what that's all about. |
17 |
> |
18 |
|
19 |
I too use only PubKey but they need to send a username so ssh knows |
20 |
where to look for the public key. Your two options boil down to |
21 |
|
22 |
1) install fail2ban (I installed it on all of my external ssh boxes and |
23 |
I love it) |
24 |
2) change the ssh port to something other than 22 (Security by Obscurity |
25 |
but it frees up your logs so you can see real problems). |
26 |
|
27 |
The two may me mutually exclusive as I'm not sure if you can tweak |
28 |
fail2ban's ssh rules to monitor another port. |
29 |
|
30 |
I just chock it up as log spam unless I see definite bad patterns. But |
31 |
again, with public key access only and banning root from logging in via |
32 |
ssh I don't think anybody is getting far unless there is a flaw in ssh. |
33 |
|
34 |
-- |
35 |
Eric Martin |
36 |
Key fingerprint = D1C4 086E DBB5 C18E 6FDA B215 6A25 7174 A941 3B9F |