Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Newbie
User Name
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!


  Search this Thread
Old 07-31-2007, 03:26 AM   #1
LQ Newbie
Registered: Nov 2004
Posts: 28

Rep: Reputation: 15
blocking false ssh users with ossec


I have two questions.

My ssh port is 22. But I'm getting these emails from ossec which indicate ssh connection to funky ports

Jul 30 09:42:40 ns1 sshd[3937]: Invalid user adauto from
Jul 30 09:42:40 ns1 sshd[3936]: Invalid user frida from
Jul 30 09:42:11 ns1 sshd[3932]: Failed password for invalid user fuad from port 56565 ssh2
Jul 30 09:42:08 ns1 sshd[3932]: Invalid user fuad from
Jul 30 09:41:59 ns1 sshd[3930]: Failed password for invalid user frida from port 56494 ssh2
Jul 30 09:41:57 ns1 sshd[3930]: Invalid user frida from
Jul 30 09:41:54 ns1 sshd[3928]: Failed password for invalid user frida from port 56406 ssh2
I have only a couple of handful ports open by APF and those listed are not. So my first question is how could this be?

My second question is, how can I add the IPs of these attackers to host.deny with ossec automatically?

Last edited by txm123; 07-31-2007 at 03:28 AM.
Old 07-31-2007, 04:20 AM   #2
Registered: Oct 2004
Distribution: Slackware
Posts: 376

Rep: Reputation: 31
For your first question: those ports are where those users are connecting FROM, not TO. Your ssh daemon only listens on port 22, but ssh clients may connect from any port. This is safe and expected - it's just how TCP works.

Adding hosts to hosts.deny is pretty simple, but I don't know anything about ossec or how to get it to do it for you.
Old 07-31-2007, 03:51 PM   #3
Senior Member
Registered: Jun 2003
Location: California
Distribution: Slackware
Posts: 1,181

Rep: Reputation: 49
As a (psuedo-random) aside, if you change your incoming SSH port, you'll have fewer login attacks by order of magnitudes. I bumped mine from 22 to 28 (for example) and instead of registering ~500 a day, I get 1 a week.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
My APF is blocking users TheRudy Linux - Security 3 01-18-2007 12:01 PM
OSSEC report - is this OKAy? Old_Fogie Linux - Security 7 10-23-2006 07:03 AM
Blocking p2p to the users on my lan tomazN Linux - Networking 4 11-30-2005 07:28 AM
SSH Problem /bin/false ultrix Linux - Security 2 06-17-2005 08:31 AM
SSH is blocking my connections tarballedtux Linux - Security 8 11-01-2002 05:19 PM

All times are GMT -5. The time now is 06:22 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration