Anything I can do against illegal login-requests?

Discussion in 'Installation/Configuration' started by schmidtedv, Sep 20, 2006.

  1. schmidtedv

    schmidtedv New Member

    ...
    Sep 20 12:37:52 84-16-251-18 sshd[27784]: Illegal user webmaster from ::ffff:216.24.126.67
    Sep 20 12:37:56 84-16-251-18 sshd[27790]: Illegal user webadmin from ::ffff:216.24.126.67
    Sep 20 12:37:58 84-16-251-18 sshd[27794]: Illegal user ftpuser from ::ffff:216.24.126.67
    Sep 20 12:37:59 84-16-251-18 sshd[27796]: Illegal user testuser from ::ffff:216.24.126.67
    Sep 20 12:38:01 84-16-251-18 sshd[27798]: Illegal user testuser from ::ffff:216.24.126.67
    Sep 20 12:38:02 84-16-251-18 sshd[27802]: Illegal user test from ::ffff:216.24.126.67
    Sep 20 12:38:03 84-16-251-18 sshd[27804]: Illegal user guestuser from ::ffff:216.24.126.67
    Sep 20 12:38:04 84-16-251-18 sshd[27806]: Illegal user test01 from ::ffff:216.24.126.67
    Sep 20 12:38:05 84-16-251-18 sshd[27808]: Illegal user test2 from ::ffff:216.24.126.67
    Sep 20 12:38:06 84-16-251-18 sshd[27810]: Illegal user test3 from ::ffff:216.24.126.67
    Sep 20 12:38:08 84-16-251-18 sshd[27812]: Illegal user test4 from ::ffff:216.24.126.67
    Sep 20 12:38:09 84-16-251-18 sshd[27814]: Illegal user test5 from ::ffff:216.24.126.67
    Sep 20 12:38:10 84-16-251-18 sshd[27816]: Illegal user test6 from ::ffff:216.24.126.67
    Sep 20 12:38:11 84-16-251-18 sshd[27818]: Illegal user test7 from ::ffff:216.24.126.67
    Sep 20 12:38:12 84-16-251-18 sshd[27822]: Illegal user test8 from ::ffff:216.24.126.67
    Sep 20 12:38:13 84-16-251-18 sshd[27824]: Illegal user test9 from ::ffff:216.24.126.67
    Sep 20 12:38:15 84-16-251-18 sshd[27826]: Illegal user test10 from ::ffff:216.24.126.67
    Sep 20 12:38:16 84-16-251-18 sshd[27828]: Illegal user user1 from ::ffff:216.24.126.67
    Sep 20 12:38:17 84-16-251-18 sshd[27830]: Illegal user user2 from ::ffff:216.24.126.67
    Sep 20 12:38:18 84-16-251-18 sshd[27832]: Illegal user user3 from ::ffff:216.24.126.67
    Sep 20 12:38:19 84-16-251-18 sshd[27834]: Illegal user user4 from ::ffff:216.24.126.67
    Sep 20 12:38:20 84-16-251-18 sshd[27836]: Illegal user user5 from ::ffff:216.24.126.67
    Sep 20 12:38:22 84-16-251-18 sshd[27838]: Illegal user user6 from ::ffff:216.24.126.67
    Sep 20 12:38:23 84-16-251-18 sshd[27842]: Illegal user user7 from ::ffff:216.24.126.67
    Sep 20 12:38:24 84-16-251-18 sshd[27844]: Illegal user user8 from ::ffff:216.24.126.67
    Sep 20 12:38:25 84-16-251-18 sshd[27846]: Illegal user user9 from ::ffff:216.24.126.67
    Sep 20 12:38:26 84-16-251-18 sshd[27848]: Illegal user user10 from ::ffff:216.24.126.67
    Sep 20 12:38:27 84-16-251-18 sshd[27850]: Illegal user simon from ::ffff:216.24.126.67
    Sep 20 12:38:29 84-16-251-18 sshd[27852]: Illegal user david from ::ffff:216.24.126.67
    Sep 20 12:38:30 84-16-251-18 sshd[27854]: Illegal user monica from ::ffff:216.24.126.67
    Sep 20 12:38:31 84-16-251-18 sshd[27856]: Illegal user sql from ::ffff:216.24.126.67
    Sep 20 12:38:33 84-16-251-18 sshd[27862]: Illegal user sybase from ::ffff:216.24.126.67
    Sep 20 12:38:34 84-16-251-18 sshd[27864]: Illegal user informix from ::ffff:216.24.126.67
    Sep 20 12:38:54 84-16-251-18 sshd[27902]: Illegal user shell from ::ffff:216.24.126.67
    Sep 20 12:38:55 84-16-251-18 sshd[27904]: Illegal user noaccess from ::ffff:216.24.126.67
    ...

    Is there a way to block sshd login-requests from other ip-ranges than germany? Or something else I could do against these assh......?
     
  2. sjau

    sjau Local Meanie

  3. schmidtedv

    schmidtedv New Member

    THX!

    But, well...this seems not to be ok?

    Code:
    starting DenyHosts:    /usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg
    Can't read: /private/var/log/system.log
    [Errno 2] No such file or directory: '/private/var/log/system.log'
    Error deleting DenyHosts lock file: /var/run/denyhosts.pid
    [Errno 2] No such file or directory: '/var/run/denyhosts.pid'
    
     
  4. sjau

    sjau Local Meanie

    Do use Debian?
     
  5. schmidtedv

    schmidtedv New Member

    ...sorry, found it...it activated 2 lines in denyhosts.cfg, so it took the second for mac with the logfile instead of my debian auth.log....changed and restarted with no errors :)

    Actually I took 2.5 which was the newest version...that's ok?
     
  6. sjau

    sjau Local Meanie

    what did you take 2.5?
     
  7. schmidtedv

    schmidtedv New Member

    denyhosts....newest stable version i found was not 2.0...2.5 was newest, so i installed this one


    anything else that might be done that quick to higher the security with debian 3.1 and ISPConfig 2.2.6? I already use postgrey...but that's it.
     
    Last edited: Sep 20, 2006
  8. sjau

    sjau Local Meanie

    well, if you have a packet manager I'd use that one... on debian apt on suse yum on RH rpm I think on other systems no clue...
    Well newer version is normally better but I just like the apt-get install on debian and the regular apt-get update and then apt-get upgrade :)
     
  9. schmidtedv

    schmidtedv New Member

    I didn't know that denyhosts comes with apt-get...the tutorial only told about getting it manually with wget, so I used this way, having in mind that he did it for debian and so he would have used apt-get, if this would have been possible, but, next time i try it first with apt-get :)

    however, I'm still learning. This server is actually my first linux-experience, so, I try to read first before fool around with some stuff...so I hope doing it all right (without always knowing what I do, haha)
     
  10. sjau

    sjau Local Meanie

    ups, you're right... it doesn't come with apt-get :) my mistake... it's been a while since I installed it :)
     
  11. schmidtedv

    schmidtedv New Member

    ...so, some other quick tips in mind for some kind of newbie?
     
  12. sjau

    sjau Local Meanie

    Don't give up :)
    <-- also a noob
     
  13. schmidtedv

    schmidtedv New Member

    :) just realising taking a skypename with a dot "." inside was not a good idea, all indicators get confused by this, lol
     
  14. falko

    falko Super Moderator

  15. schmidtedv

    schmidtedv New Member

    thx, falko, will have a look at it!
     
  16. radim_h

    radim_h Member

    try to move SSH on different port then 22 in /etc/ssh/sshd_config
     
  17. sjau

    sjau Local Meanie

    Safest way would be to unhook it from the net ;) but I guess that's not what you want...
     
  18. radim_h

    radim_h Member

    fail2ban

    try apt-get install fail2ban it is configured right after installation :)
     

Share This Page