On Mon, Aug 06, 2007 at 05:08:17PM +0100, Tim Green wrote:
On 8/6/07, Chris G cl@isbd.net wrote:
I have suddenly started getting lots of messages like the following in my /var/log/messages:-
Aug 5 06:59:01 home sshd[7886]: Connection from 193.128.168.195 port 63433 Aug 5 07:14:02 home sshd[7890]: Connection from 193.128.168.195 port 63995 Aug 5 07:29:01 home sshd[7893]: Connection from 193.128.168.195 port 64515 Aug 5 07:44:01 home sshd[2451]: Generating new 768 bit RSA key. Aug 5 07:44:01 home sshd[2451]: RSA key generation complete. Aug 5 07:44:02 home sshd[7897]: Connection from 193.128.168.195 port 65110I can't see any other activity as a result, no attempted logins or odd processes running. Should I be worried? The IP address 193.128.168.195 seems to be unidentified.
whois 193.128.168.195 suggests "AP Solve Limited".
Ahhhhh!! :-)
That's where I used to work and I had a cron job there that attempts to set up an outgoing ssh pipe to my home system, this allowed me to log in to work from my home machine even though the firewall didn't allow incoming ssh connections. The sysadmin knew all about it, all quite above board. Obviously the cron job there is still running!
I get the occasional login attempt from other places but these are fairly obvious and my passwords are close to unguessable so they don't worry me too much.
For another layer of security I use sshblack: http://www.pettingers.org/code/sshblack.html
I installed it after getting sick of hearing the harddisk recording every login attempt. After 'n' guesses the IP address is blocked (with iptables) for a few days. There is a white list too, just incase you want regular remote access from an IP address someone else could cause to block.
Thanks!