[Gllug] Login attempts from unspecified

Alain Williams addw at phcomp.co.uk
Mon Sep 20 20:19:01 UTC 2004


On Mon, Sep 20, 2004 at 09:21:33PM +0100, Henrik Morsing wrote:
> 
> Hi,
> I got the below in my auth.log (hundreds of lines). The IP address seems
> to not really belong to anyone. RIPE says "ALLOCATED UNSPECIFIED".
> 
> Can I do anything?
> 
> Sep 20 15:30:16 bsd sshd[10173]: Illegal user boss from 211.196.5.237
> Sep 20 15:30:21 bsd sshd[10178]: Illegal user sysop from 211.196.5.237
> Sep 20 15:30:26 bsd sshd[10181]: Illegal user qsvr from 211.196.5.237
> Sep 20 15:30:31 bsd sshd[10183]: Illegal user intel from 211.196.5.237
> Sep 20 15:30:36 bsd sshd[10185]: Illegal user dni from 211.196.5.237
> Sep 20 15:30:41 bsd sshd[10187]: Illegal user fal from 211.196.5.237
> Sep 20 15:30:46 bsd sshd[10189]: Illegal user mail from 211.196.5.237
> Sep 20 15:31:07 bsd sshd[10197]: Illegal user postmaster from
> 211.196.5.237

There have been more and more of these in recent months. You can tighten up a bit
by putting the following line at the top of /etc/pam.d/sshd:

	auth       required     pam_listfile.so sense=allow item=user file=/etc/ssh/sshAuthorisedUsers onerr=fail

/etc/ssh/sshAuthorisedUsers should contain a list of users (one per line) who you want to be able to login
using ssh. You should also do this for other services (eg ftp, imap, ...) with each having it's own file.

-- 
Alain Williams

#include <std_disclaimer.h>
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list