I recently got to check my auth.log file on one of my servers (which is a xen/virtual server running Ubuntu 7.04 Feisty) and is the root server for other virtual/xen servers and one of those v-servers is our company's web server and I noticed there has been several attempts for breaking in!
I am a Newbie in Linux and wondered if there is any files where I could put these IP addresses in a blacklist so they cant even connect let alone try to log in?
(I would really like to have a script where if any IP address tried 3 times to get in and failed, then their IP would automatically go in that file (the *hit-list file)!?but I know that is a little too much...for now I'll be happy with any info...)
The log file states the same IP addresses and several names (including root) trying to hack in and that has us worried as to what if the idiots get in?
I know it is not so easy...specially after I ran the recent updates I can't log in as root my self via ssh any more and have to log in as another user then su or log in to the master server then do a xm console to the server I want to log in and only then I can get in.
Still looks like some one is running a script and taking a guess at the names of users and passwords...
I have a difficult password installed (not any word in dictionary or anything just a long, random alphanumeric password)...
My other Question is, is there any thing I can do to get rid of these hackers?
look at this idiot please:
(just a couple of lines from 100s of lines in that log file):
Sep 1 04:37:21 tyr sshd: Failed password for invalid user gerbertus from 22.214.171.124 port 29389 ssh2
Sep 1 04:37:25 tyr sshd: Invalid user hupertus from 126.96.36.199
Sep 1 05:09:32 tyr sshd: Failed password for invalid user max from 188.8.131.52 port 15211 ssh2
Sep 1 05:09:36 tyr sshd: Invalid user maximilian from 184.108.40.206
Sep 1 05:09:36 tyr sshd: (pam_unix) check pass; user unknown
or this one:
Sep 1 13:53:20 tyr sshd: Failed password for root from 220.127.116.11 port 54748 ssh2
Sep 1 13:53:20 tyr sshd: Invalid user sbin from 18.104.22.168
Sep 1 13:53:20 tyr sshd: (pam_unix) check pass; user unknown
Sep 1 13:53:20 tyr sshd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=unixway.tversu.ru
Sep 1 13:53:22 tyr sshd: Failed password for invalid user sbin from 22.214.171.124 port 55187 ssh2
Sep 1 13:53:23 tyr sshd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=unixway.tversu.ru user=root
and at least 3 more IP addresses since Aug 29th,( 2008 )from different parts of the world...