As soon as my sshd service is started, I see a remote ssh session to the following IP address in Brazil
rcsshd start
netstat -patune|grep -i ssh
tcp 0 0 196.2xx.xxx.xxx:22 201.0.161.212:54759 ESTABLISHED 0 62367 18749/sshd: [accept
telnet 201.0.161.212 80
Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 with Suhosin-Patch Server at 127.0.1.1 Port 80
Anyone else see anything suspicious when the enter netstat -patune|less
tail -f /var/log/messages
Nov 14 22:23:55 linux-1 sshd[18549]: Invalid user administrator from 201.0.161.212
Nov 14 22:24:00 linux-1 sshd[18554]: Invalid user tads from 201.0.161.212
OK just random scripts running, wow I just installed the server 2 days ago, this as soon as I
installed ntop must be co-incidental
You’re not seeing connections to the server, you’re seeing the server connect to you and try various userid/password combinations. It’s a simple brute force attack against your box from that hacked box.
Two options;
Raise your firewall. If you need ssh, learn how to use keys. Change ssh port to something else.
Alternatively install fail2ban or similar program that automatically bans people who try to brute force your ssh keys.
That’s one way to reduce the number of requests. But please make sure your users use secure pwds, no root access is allowed as ssh, or even don’t allow plain pwd access.