Block SSH script attacks

Posted on September 29, 2005 in Uncategorized

If you run a machine that is open to the public internet, and you open up SSH then you've seen these entries in your system logs.

eb 10 07:07:36 localhost sshd[1078]: Illegal user matt from Feb 10 07:07:38 localhost sshd[1080]: Illegal user test from Feb 10 07:07:40 sshd[1082]: Illegal user operator from Feb 10 07:07:42 sshd[1084]: Illegal user wwwrun from Feb 10 07:07:52 sshd[1096]: Illegal user apache from Feb 10 07:07:59 sshd[1104]: Failed password for root from port 58752 ssh2 Feb 10 07:08:01 sshd[1106]: Failed password for root from port 59136 ssh2 Feb 10 07:08:03 sshd[1108]: Failed password for root from port 59176 ssh2 Feb 10 07:08:15 sshd[1122]: Failed password for root from port 60606 ssh2 ....

Looks like someone is trying to break into your machine and you'd be right. It's more than likely a script or robot just knocking on your door, but you never know. This article discusses some ways to lock down SSH and secure your remote connections.