Use TCP Wrappers: /etc/hosts.allow and /etc/host.deny
Brian Fahrlander wrote:
From last night's LogWatch: --------------------------------------------------------------------------
sshd: Invalid Users: Unknown Account: 7 Time(s) Unknown Entries: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=johnstongrain.com : 2 Time(s) authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=smms-mriley09d.chemistry.uq.edu.au : 2 Time(s) authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.117.191.70 : 1 Time(s) authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=216.97.110.1 : 1 Time(s) authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=ccia-062-204-197-193.uned.es : 1 Time(s)
su: Sessions Opened: brian(uid=500) -> root: 1 Time(s)
------------------------------------------------------------------------
Ok, guys- what do we do with this? Should we be writing down the addresses from which these attempts were made? They're probably all 'stooge' addresses, I know, but it might help authorities to know what other machines have been compromised...
I'll go save the log somewhere...
------------------------------------------------------------------------