On 12/26/05, jdow <jdow@xxxxxxxxxxxxx> wrote:
> From: "Gerald" <gwichman@xxxxxxxxx>
>
> > It looks like i'm getting a dictionary attack on my system. I moved
> > ssh to another port instead of 22 in hopes that would put a halt to it
> > but it did not. Any recommendations to improve security here? I notice
> > these attacks come from a variety of IP's so pursuing one individual
> > is probably not worthwhile.
> >
> > [root@corona ~]# tail /var/log/secure
[. . . snip snip snip . . . ]
> > tursun from ::ffff:203.115.124.116 port 40714 ssh2
> > Dec 25 21:20:46 corona sshd[24897]: Accepted password for root from
> > ::ffff:10.1.1.17 port 4500 ssh2
> > [root@corona ~]#
>
> Unless the last one was you, Gerald, your machine is no longer your
> machine. Disconnect it, save important data, reformat, and reload your
> software from KNOWN GOOD backups.
>
> {^_^}
The last one is from an RFC1918 reserved address (10.0.0.0/8) and is
from his internal network. All the others are from the public
Internet. I'd assume that's him logging into his own machine. ;-)
--
Chris
"I trust the Democrats to take away my money, which I can afford. I
trust the Republicans to take away my freedom, which I cannot."
