On 12/26/05, jdow jdow@earthlink.net wrote:
From: "Gerald" gwichman@gmail.com
It looks like i'm getting a dictionary attack on my system. I moved ssh to another port instead of 22 in hopes that would put a halt to it but it did not. Any recommendations to improve security here? I notice these attacks come from a variety of IP's so pursuing one individual is probably not worthwhile.
[root@corona ~]# tail /var/log/secure
[. . . snip snip snip . . . ]
tursun from ::ffff:203.115.124.116 port 40714 ssh2 Dec 25 21:20:46 corona sshd[24897]: Accepted password for root from ::ffff:10.1.1.17 port 4500 ssh2 [root@corona ~]#
Unless the last one was you, Gerald, your machine is no longer your machine. Disconnect it, save important data, reformat, and reload your software from KNOWN GOOD backups.
{^_^}
The last one is from an RFC1918 reserved address (10.0.0.0/8) and is from his internal network. All the others are from the public Internet. I'd assume that's him logging into his own machine. ;-)
-- Chris
"I trust the Democrats to take away my money, which I can afford. I trust the Republicans to take away my freedom, which I cannot."