On 08/02/2004 05:57 PM, Brian Fahrlander wrote:
On Mon, 2004-08-02 at 16:01, STYMA, ROBERT E (ROBERT) wrote:
>>>On Mon, 02 Aug 2004 12:21:01 -0700, Ow Mun Heng <Ow.Mun.Heng(a)wdc.com>
wrote:
>>>
>>>
>>>This was in my logs last night at 11.56pm.
>>>
>>>
>>Aug 2 03:21:18 ciscy sshd[27030]: Failed password for illegal user test from
>>::ffff:69.59.166.236 port 41532 ssh2
>>Aug 2 03:21:21 ciscy sshd[27032]: Failed password for illegal user guest from
>>::ffff:69.59.166.236 port 41714 ssh2
>>
>>Seems to be coming from San Fransisco...
>>
>>
>>
>>
>The fact that a user and password is getting flagged indicates that the
>hacker is getting past your /etc/hosts.deny file. I keep my ssh access
>shut down except for IP address ranges I am expecting. I realize this is
>not possible in all cases, but stopping the hacker before they get a login
>prompt is in my opinion a preferred situation.
>
>
Yeah, but you may as well firewall the world. This seems to be
everywhere.
So use hosts.allow instead, and specify the few particular hosts that
are allowed to attempt to connect. Everyone else will be summarily
rejected. (Firewalling the world is not a bad option, either).