Are these attempts by password crackers??

[Rob]

Odhiambo Washington wrote:
> Hello users.
> I run several 5.2.1 boxes (in production).
> 
> For weeks now, I have seen alot of notifications from periodic/daily
> with the output below and I have questions:
> 
> 
> 1. Is this some virus or some crackers playing around?
> 2. Why only on 5.2.1 systems and not on any of the 4.10 boxes that I
>    also run?
> 3. Am I supposed to be worried at all? Well, I am not ;)
>    I hate the messages though and there must be something here that I
>    need to do.
> 
> 
> <cut>
> 
> Oct 17 10:44:10 gw sshd[4170]: Failed password for nobody from 210.80.96.185 port 52215 ssh2
> Oct 17 10:44:19 gw sshd[4172]: Failed password for patrick from 210.80.96.185 port 52337 ssh2

These attackers seem to always poke at port 22 for ssh holes.
I have three ways to prevent access, from easy to more difficult setup:

1. restrict sshd access in /etc/hosts.allow, by an entry like

      sshd : 225.50.0.0/255.255.0.0 : allow
      [...whatever access restrictions to other services...]
      ALL : ALL : deny

    where 225.50.0.0/255.255.0.0 is an example of the sub-network your on.
    Only IPs from this network can access your PC via ssh.

2. shift your sshd access to another port, by modifing /etc/rc.conf

       sshd_flags="-p 4321"

    but then users should be informed to do "ssh -p 4321 ...." instead.
    Note: 4321 is just an example; choose your own number > 1024 here.

3. Use a firewall, that allows access via port 22 only for restricted IPs,
    but the other sshd port for the whole world.
    Modify /etc/rc.conf:
       sshd_flags="-p 22 -p 4321"

    And for example with ipfw:

       [...]
       check-state
       [...]
       allow tcp from any to me 4321 in via rl0 setup
       allow tcp from 225.50.0.0/16 to me ssh in via rl0 setup

    (replace "rl0" by your own device).


I am using (3) and the sshd attacks have dropped to zero.

Rob.