As soon as my sshd service is started, I see a remote ssh session to the following IP address in Brazil
netstat -patune|grep -i ssh
tcp 0 0 196.2xx.xxx.xxx:22 188.8.131.52:54759 ESTABLISHED 0 62367 18749/sshd: [accept
telnet 184.108.40.206 80
Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 with Suhosin-Patch Server at 127.0.1.1 Port 80
Anyone else see anything suspicious when the enter netstat -patune|less
tail -f /var/log/messages
Nov 14 22:23:55 linux-1 sshd: Invalid user administrator from 220.127.116.11
Nov 14 22:24:00 linux-1 sshd: Invalid user tads from 18.104.22.168
OK just random scripts running, wow I just installed the server 2 days ago, this as soon as I
installed ntop must be co-incidental
You’re not seeing connections to the server, you’re seeing the server connect to you and try various userid/password combinations. It’s a simple brute force attack against your box from that hacked box.
Raise your firewall. If you need ssh, learn how to use keys. Change ssh port to something else.
Alternatively install fail2ban or similar program that automatically bans people who try to brute force your ssh keys.
Many thanks for the advice. Jogged my memory about port change
Nothing to worry about - I get the same stuff all the time, even worse if you happen be running an ftp server, my logs fill up daily.
Just remember to use proper, strong passwords.
That’s one way to reduce the number of requests. But please make sure your users use secure pwds, no root access is allowed as ssh, or even don’t allow plain pwd access.
This link may give you some pointers.
Apologies for the naff formatting! A pdf of it is on the website also.