HI all,
We use "denyhosts" as well to monitor attempts to break into SSH ports, and are getting on average 50 per day over 20 servers. Interesting that it is "real" regular! Weekends even.
cheers
Gary
123 Internet Ltd
At 10:09 on 15/07/2008 you wrote
>To : NZNOG@list.waikato.ac.nz
>CC :
>From: Steve Holdoway, steve@greengecko.co.nz
>Content Type: text/plain
>Attached: att-080715100913828-2.txt
>
>
>
>
>On Tue, 15 Jul 2008 08:34:17 +1200
>Steve Holdoway <steve@greengecko.co.nz> wrote:
>
>> I don't, but I run logcheck to *tell* me ( and fcheck to tell me of any file changes, and... )! tbh my production servers have a backdoor single account ssh access to the internet, which is protected by denyhosts, and all other access is from a staging server via vpn, still using secure ( but separate ) protocols. I don't care too much about the shortcomings of denyhosts, as a) it's protecting the emergency backup service, and b) I've got enough static ip addresses whitelisted to get in from - imo it's perfect for this job.
>>
>> OK, you *could* break in through a distributed attack on the ssh port, but the real risk to my servers is now human, from those with the relevant knowledge of the network configuration. But to me the chances of someone looking for a starting point 9000 miles from the server, breaking in, then going through a few other hoops before hacking across the vpn to the production server is remote enough to put a long way down my list.
>>
>> And, of course, I'm lucky enough not to have to support 1903 vintage IBM boat anchors (:
>>
>>
>> Steve
>>
>Just to follow this up from this morning...
>
>>From Logcheck...
>Jul 15 07:16:54 server sshd[8129]: Failed password for invalid user hipcomix from 207.210.107.2 port 34553 ssh2
>Jul 15 07:16:54 server sshd[8132]: Failed password for root from 207.210.107.2 port 34566 ssh2
>Jul 15 07:16:55 server sshd[8134]: Failed password for invalid user jpeger from 207.210.107.2 port 34582 ssh2
>Jul 15 07:16:55 server sshd[8139]: Failed password for invalid user favs from 207.210.107.2 port 34606 ssh2
>and a few more...
>
>>From Denyhosts...
>Date: Tue, 15 Jul 2008 07:17:00 +1200
>
>Added the following hosts to /etc/hosts.deny:
>
>207.210.107.2 (unknown)
>
>
>Steve
>
>
>_______________________________________________
>NZNOG mailing list
>NZNOG@list.waikato.ac.nz
>http://list.waikato.ac.nz/mailman/listinfo/nznog
Ref#: 41006