Another $.02: In addition to other security measures for ssh discussed in this thread: I disable root logins for sshd. Set via the following parameter in sshd_config: PermitRootLogin no I also disable password authentication for sshd so only users with their public key installed can gain access. This is also controlled via sshd_config: PasswordAuthentication no And don't skip putting a passphrase on the private key! :-) rna On Tue, 7 Dec 2004, June Tate wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hey folks, > > I've been a bit of a long time lurker on this list, but I've recently > come up with a bit of a problem. Somebody, somewhere out on the 'net is > attempting to crack into my home server -- unfortunately, they seem to > be either using a few hundred zombie boxen on the 'net or spoofing their > IP addresses because each attack is coming from a completely different IP. > > The first time I noticed, I noticed a bunch of "Illegal user" error > messages in /var/log/auth.log. At first I didn't think much of it, but > since I've worked on the iptables firewall, I've noticed an almost > constant stream of incoming packets to random ports on my box, too. > > At first I thought he must have just found my box via an IP subnet scan > or something, but when I recently changed ISPs and IP addresses, he > followed via my domain name. > > My question is this: how can I track down this guy, blacklist, or > prevent him from breaching my defenses? Also, what should I do about > reporting him to the authorities? Who do should I contact about this? > > I've tried looking up his various IPs in the whois databases to no avail > - -- they list him as coming from Tokyo, Taiwan, South Africa, San > Diego, etc. > > My server is running Debian Linux, for reference. > > - -- > June Tate * http://www.theonelab.com * june@theonelab.com > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFBthH8iLw1iDrV/zwRAiCeAJwPPONOvIGvZoz9adMsUn0hrLFsGgCfUEO5 > KP+6fLu8ghnczqPpFB2AEKc= > =1ye8 > -----END PGP SIGNATURE----- > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change you mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss