A lot of authentication failure messages

zdenisl · 05-13-2006, 06:53 PM

I just noticed in /var/log/messages I have a lot of authentication failure messages from foreign IP addresses.

I guess this is a hacker. How can I prevent this?

Today I've had 50 so far.

Here's a snipit:

Code:

May  7 09:38:45 ramair sshd(pam_unix)[24218]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=217.160.250.152  user=root
May  7 11:11:48 ramair sshd(pam_unix)[26330]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.89.164.18  user=root
May  7 11:11:56 ramair sshd(pam_unix)[26332]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.89.164.18  user=root
May  7 11:12:03 ramair sshd(pam_unix)[26334]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.89.164.18  user=root
May  7 11:12:13 ramair sshd(pam_unix)[26336]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.89.164.18  user=root
May  7 11:12:25 ramair sshd(pam_unix)[26338]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.89.164.18  user=root
May 13 12:00:43 ramair sshd(pam_unix)[5796]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.28.168.85  user=ftp
May 13 12:01:07 ramair sshd(pam_unix)[5806]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.28.168.85  user=postfix
May 13 12:01:15 ramair sshd(pam_unix)[5808]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.28.168.85  user=postgres
May 13 12:01:28 ramair sshd(pam_unix)[5812]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.28.168.85  user=root

btmiller · 05-13-2006, 08:29 PM

Take a look at the "failed SSH login" thread stickied at the top of this forum.

lucktsm · 05-16-2006, 09:44 AM

Change the port of the SSH server to listen on something other than the default port. This will reduce the number of bots that are bruteforce attacking you.