How to understand this (logwatch)?

S

shaivam2015-06-14 14:30:41

linux

shaivam, 2015-06-14 14:30:41

How to understand it? Why are there no addresses? snippet of ssh log
Illegal users from:
undef: 3 times
\\320\\272\\321\\321\\320\\265 [preauth]: 1 time
\\320\\272root [preauth]: 1 time
\320\ 272\321\321\320\265: 2 times
\320\272root: 1

time "tapping" on other ports to open the port (authorization by keys, so users to get to rdp in lan from wan forward the port with an ssh script; I don't want to send out a new script to everyone, there will be confusion)
Didn't receive an ident from these IPs:
198.20.70.114 (census3.shodan.io): 1 Time(s)
71.6.167.142 (census9.shodan.io): 1 Time(s)
93.120.27.62 (m247.ro.shodan.io): 1 Time(s)

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Alexander, 2015-06-14
Madzhugin @Suntechnic

fail2ban

G

grumbler66rus, 2015-06-14
@grumbler66rus

it's not nice that I often get scanned by this scanner

If sshd_config says "PasswordAuthentication no", you can ignore it.
If you want to reduce the frequency of connections from the bot, this can be done using iptables like this (this is not a ready-made recipe!):

iptables -A INPUT -i eth1 -p tcp --syn --dport 22 -m recent --name sshin --set -m comment --comment "Set SSH incoming connection into table sshin"
iptables -A INPUT -i eth1 -p tcp --syn --dport 22 -m recent --name sshin --update --seconds 30 --hitcount 3 -j REJECT --reject-with tcp-reset -m comment --comment "Reject too quickly SSH new connection attempts"
iptables -A INPUT -i eth1 -p tcp --syn --dport 22 -m connlimit --connlimit-above 2 -j REJECT --reject-with tcp-reset -m comment --comment "SSH: 2 connections from one IP simultaneous

"