[Nottingham] ssh attempts for common usernames
Simon Amor
simon at leaky.org
Tue Aug 23 12:05:25 BST 2005
Recently I've been seeing a lot of failed ssh attempts into my
dedicated server for usernames like mail,ftp,test,robert,simon,bob
etc. There would be somewhere in the region of 70 different users
tried from each of maybe 3 or 4 IPs a day.
I know that other people (who may not be on this list) are seeing
similar things and I figured I should look into trying to block them.
A quick google later and I found http://denyhosts.sourceforge.net/
Took me about 30m (including distractions) to download, install and
configure and it's already added about 40 IPs to /etc/hosts.deny and
now I'm seeing ssh connection refused messages in logwatch output
instead of failed logins for user test.
I'm not sure I agree with running it from cron every 20 minutes so
I've got it watching the logs every 30 seconds (running in daemon
mode) and it doesn't seem to be impacting server performance at all.
I guess there's a tradeoff between 20 minute gaps where the server is
open to abuse before it picks up on the attempts and 2 second gaps
where all the server does is process logs.
Simon
--
Simon Amor
simon at leaky.org
http://www.leaky.org/
More information about the Nottingham
mailing list