As soon as my sshd service is started, I see a remote ssh session to the following IP address in Brazil

rcsshd start

netstat -patune|grep -i ssh

tcp 0 0 196.2xx.xxx.xxx:22 201.0.161.212:54759 ESTABLISHED 0 62367 18749/sshd: [accept

telnet 201.0.161.212 80
Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 with Suhosin-Patch Server at 127.0.1.1 Port 80

Anyone else see anything suspicious when the enter netstat -patune|less

tail -f /var/log/messages
Nov 14 22:23:55 linux-1 sshd[18549]: Invalid user administrator from 201.0.161.212
Nov 14 22:24:00 linux-1 sshd[18554]: Invalid user tads from 201.0.161.212

OK just random scripts running, wow I just installed the server 2 days ago, this as soon as I
installed ntop must be co-incidental

You’re not seeing connections to the server, you’re seeing the server connect to you and try various userid/password combinations. It’s a simple brute force attack against your box from that hacked box.

Two options;
Raise your firewall. If you need ssh, learn how to use keys. Change ssh port to something else.
Alternatively install fail2ban or similar program that automatically bans people who try to brute force your ssh keys.

Many thanks for the advice. Jogged my memory about port change

Nothing to worry about - I get the same stuff all the time, even worse if you happen be running an ftp server, my logs fill up daily.

Just remember to use proper, strong passwords.

That’s one way to reduce the number of requests. But please make sure your users use secure pwds, no root access is allowed as ssh, or even don’t allow plain pwd access.

Hi,
This link may give you some pointers.

http://www.tuxit.co.uk/securessh.html

Apologies for the naff formatting! A pdf of it is on the website also.

cheers
J