[SWLUG] Possible SSH Attack
Justin Mitchell
justin at discordia.org.uk
Fri Jul 15 08:38:52 UTC 2011
On Thu, 2011-07-14 at 22:22 +0100, Jon Reynolds wrote:
> Jul 10 16:17:30 jcrdevelopments authdaemond: pam_unix(pop3:auth):
> authentication failure; logname= uid=0 euid=0 tty= ruser= rh
> ost= user=root
This is a run of the mill brute force attack against your pop3 service.
All manner of automated attacks happen against anything left plugged
into the internet.
be sure to disable any service you dont absolutely need, eg turn off
pop3 if you only use imap.
make sure you do not have any weak passwords on guessable account names,
these brute force attacks try obvious username and password combinations
in the hope of getting lucky. because somebody somewhere will have a
password of 'password' on a username of root, demo, guest etc, etc.
if you want to mess up their day and stop them trying you can run
software like denyhosts or fail2ban, these programs watch the logs for
repeated failed login attempts and then blocks the ip address they came
from. so each ip address might get only a few tries then be blocked.
More information about the Swlug
mailing list