>>On Mon, 02 Aug 2004 12:21:01 -0700, Ow Mun Heng <Ow.Mun.Heng@xxxxxxx> wrote: > >>This was in my logs last night at 11.56pm. > > >Aug 2 03:21:18 ciscy sshd[27030]: Failed password for illegal user test from >::ffff:69.59.166.236 port 41532 ssh2 >Aug 2 03:21:21 ciscy sshd[27032]: Failed password for illegal user guest from >::ffff:69.59.166.236 port 41714 ssh2 > >Seems to be coming from San Fransisco... > >tracert 69.59.166.236 > > [snip] > > 8 74 ms 71 ms 70 ms so-10-0.ipcolo1.SanFranciso1.Level3.net >[4.68.112.234] > 9 73 ms 72 ms 70 ms unknown.Level3.net [63.211.150.226] > 10 74 ms 72 ms 72 ms border1-ge0-0-0.sfo.servepath.net >[209.213.192.123] > 11 76 ms 72 ms 72 ms border-core1-pos0-1.sfo2.servepath.net >[216.93.189.34] > 12 75 ms 71 ms 72 ms access1-ge0-1-5.sfo2.servepath.net >[69.59.136.50] > 13 75 ms 71 ms 72 ms customer-reverse-entry.69.59.166.236 >[69.59.166.236] > > >-- > Steve > > The fact that a user and password is getting flagged indicates that the hacker is getting past your /etc/hosts.deny file. I keep my ssh access shut down except for IP address ranges I am expecting. I realize this is not possible in all cases, but stopping the hacker before they get a login prompt is in my opinion a preferred situation.
