From: "Gerald" <gwichman@xxxxxxxxx>
It looks like i'm getting a dictionary attack on my system. I moved
ssh to another port instead of 22 in hopes that would put a halt to it
but it did not. Any recommendations to improve security here? I notice
these attacks come from a variety of IP's so pursuing one individual
is probably not worthwhile.
[root@corona ~]# tail /var/log/secure
Dec 25 17:51:09 corona sshd[24704]: Failed password for invalid user
turid from ::ffff:203.115.124.116 port 38370 ssh2
Dec 25 17:51:12 corona sshd[24707]: Invalid user turnage from
::ffff:203.115.124.116
Dec 25 17:51:14 corona sshd[24707]: Failed password for invalid user
turnage from ::ffff:203.115.124.116 port 38886 ssh2
Dec 25 17:51:18 corona sshd[24710]: Invalid user turnbough from
::ffff:203.115.124.116
Dec 25 17:51:20 corona sshd[24710]: Failed password for invalid user
turnbough from ::ffff:203.115.124.116 port 39397 ssh2
Dec 25 17:51:22 corona sshd[24713]: Invalid user turner from
::ffff:203.115.124.116
Dec 25 17:51:25 corona sshd[24713]: Failed password for invalid user
turner from ::ffff:203.115.124.116 port 40228 ssh2
Dec 25 17:51:27 corona sshd[24716]: Invalid user tursun from
::ffff:203.115.124.116
Dec 25 17:51:30 corona sshd[24716]: Failed password for invalid user
tursun from ::ffff:203.115.124.116 port 40714 ssh2
Dec 25 21:20:46 corona sshd[24897]: Accepted password for root from
::ffff:10.1.1.17 port 4500 ssh2
[root@corona ~]#
Unless the last one was you, Gerald, your machine is no longer your
machine. Disconnect it, save important data, reformat, and reload your
software from KNOWN GOOD backups.
{^_^}
