| 1 |
On Fri, Mar 20, 2009 at 7:25 AM, Eric Martin <freak4uxxx@×××××.com> wrote: |
| 2 |
> Paul Hartman wrote: |
| 3 |
>> On Thu, Mar 19, 2009 at 10:36 AM, Johan Blåbäck |
| 4 |
>> <johan.bluecreek@×××××.com> wrote: |
| 5 |
>>> I've always had usernames when it comes to sshd's log entries in |
| 6 |
>>> auth.log, like the following: |
| 7 |
>>> |
| 8 |
>>> <time> <hostname> sshd[5926]: error: PAM: Authentication failure for |
| 9 |
>>> <username> from <ip-adress> |
| 10 |
>> |
| 11 |
>> Well, I don't use PAM, just key-based authentication only, so I always |
| 12 |
>> see only the IP getting rejected since it doesn't even give them a |
| 13 |
>> place to try a user/password :) It's just weird that it is refusing a |
| 14 |
>> connection from user@domain rather than simply the IP. I guess they |
| 15 |
>> could be trying to ssh user@××××××.net or something. The one with |
| 16 |
>> [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=] as the username is |
| 17 |
>> interesting. I wonder what that's all about. |
| 18 |
>> |
| 19 |
> |
| 20 |
> I too use only PubKey but they need to send a username so ssh knows |
| 21 |
> where to look for the public key. Your two options boil down to |
| 22 |
> |
| 23 |
> 1) install fail2ban (I installed it on all of my external ssh boxes and |
| 24 |
> I love it) |
| 25 |
> 2) change the ssh port to something other than 22 (Security by Obscurity |
| 26 |
> but it frees up your logs so you can see real problems). |
| 27 |
> |
| 28 |
> The two may me mutually exclusive as I'm not sure if you can tweak |
| 29 |
> fail2ban's ssh rules to monitor another port. |
| 30 |
> |
| 31 |
> I just chock it up as log spam unless I see definite bad patterns. But |
| 32 |
> again, with public key access only and banning root from logging in via |
| 33 |
> ssh I don't think anybody is getting far unless there is a flaw in ssh. |
| 34 |
|
| 35 |
Oh, I am not concerned about the attacks. I just thought it was weird |
| 36 |
that I saw user@domain when I normally see only IP or only domain. |
| 37 |
They are already refused connection as the log shows :) |
| 38 |
|
| 39 |
Thanks, |
| 40 |
Paul |
Archives