Block SSH script attacks

macosxhints – Modify Remote Login server to block scripted attacks
If you run a machine that is open to the public internet, and you open up SSH then you’ve seen these entries in your system logs.

eb 10 07:07:36 localhost sshd[1078]: Illegal user matt from 210.127.248.158
Feb 10 07:07:38 localhost sshd[1080]: Illegal user test from 210.127.248.158
Feb 10 07:07:40 sshd[1082]: Illegal user operator from 210.127.248.158
Feb 10 07:07:42 sshd[1084]: Illegal user wwwrun from 210.127.248.158
Feb 10 07:07:52 sshd[1096]: Illegal user apache from 210.127.248.158
Feb 10 07:07:59 sshd[1104]: Failed password for root from 210.127.248.158 port 58752 ssh2
Feb 10 07:08:01 sshd[1106]: Failed password for root from 210.127.248.158 port 59136 ssh2
Feb 10 07:08:03 sshd[1108]: Failed password for root from 210.127.248.158 port 59176 ssh2
Feb 10 07:08:15 sshd[1122]: Failed password for root from 210.127.248.158 port 60606 ssh2
….

Looks like someone is trying to break into your machine and you’d be right. It’s more than likely a script or robot just knocking on your door, but you never know. This article discusses some ways to lock down SSH and secure your remote connections.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s