Hi All,
I went through the security admin and installed Mod_security and apf etc but I am still getting the following in my Root mails.
--------------------- pam_unix Begin ------------------------
sshd:
Invalid Users:
Unknown Account: 20 Time(s)
Authentication Failures:
unknown (ns2176.ovh.net ): 20 Time(s)
root (ns2176.ovh.net ): 15 Time(s)
admin (ns2176.ovh.net ): 10 Time(s)
---------------------- pam_unix End -------------------------
--------------------- SSHD Begin ------------------------
Failed logins from these:
admin/password from 213.186.40.137: 10 Time(s)
guest/password from 213.186.40.137: 5 Time(s)
root/password from 213.186.40.137: 15 Time(s)
test/password from 213.186.40.137: 10 Time(s)
user/password from 213.186.40.137: 5 Time(s)
Users logging in through sshd:
root logged in from 82-38-10-201.cable.ubr02.barn.blueyonder.co.uk (82.38.10.201) using password: 3 Time(s)
Scanned from these:
chs-fire-208-179-130.americainter.net (66.208.179.130)
chs-fire-208-179-130.americainter.net (66.208.179.130)
**Unmatched Entries**
Illegal user test from 213.186.40.137
Illegal user guest from 213.186.40.137
Illegal user user from 213.186.40.137
Illegal user test from 213.186.40.137
Illegal user test from 213.186.40.137
Illegal user test from 213.186.40.137
Illegal user test from 213.186.40.137
Illegal user test from 213.186.40.137
Illegal user guest from 213.186.40.137
Illegal user guest from 213.186.40.137
Illegal user guest from 213.186.40.137
Illegal user guest from 213.186.40.137
Illegal user user from 213.186.40.137
Illegal user user from 213.186.40.137
Illegal user user from 213.186.40.137
Illegal user user from 213.186.40.137
Illegal user test from 213.186.40.137
Illegal user test from 213.186.40.137
Illegal user test from 213.186.40.137
Illegal user test from 213.186.40.137
---------------------- SSHD End -------------------------
ANYone able to help me out here?
Liam
Full Version: Security
Greetings:
mod_security, properly configured, will protect against a number of Web-based attacks.
We don't use APF; but that is a firewall; and most hackers attack through a firewall just like most spies come through the same border gate you and I would use to cross countries.
Firewalls are needed, but don't necessarily keep hackers out.
What logwatch is showing is brute force attempts against SSH.
I do believe the maker of APF has an add on called BFD that will help against such.
In any event, you should apply as many practical layers of security that you can or a security administrator can manage throughout every single day.
Thank you.
mod_security, properly configured, will protect against a number of Web-based attacks.
We don't use APF; but that is a firewall; and most hackers attack through a firewall just like most spies come through the same border gate you and I would use to cross countries.
Firewalls are needed, but don't necessarily keep hackers out.
What logwatch is showing is brute force attempts against SSH.
I do believe the maker of APF has an add on called BFD that will help against such.
In any event, you should apply as many practical layers of security that you can or a security administrator can manage throughout every single day.
Thank you.
Yeah, BFD is a good idea. You should also make sure that the user passwords for those particular users are strong as there has been a lot of scanning for them recently.
You may also consider changing the sshd port, that is one more thing you can do to help secure your server.
You may also consider changing the sshd port, that is one more thing you can do to help secure your server.
I have BFD installed already. Erm, I changed the port but now I cannot access shell on either port. What now! I have raised a support ticket.
You probably forgot to open the firewall port 
Ask the tech to flush the firewall and then change the rules to include the new port.
Ask the tech to flush the firewall and then change the rules to include the new port.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.