However, I was alarmed when I took a peek at her security logs (/var/log/secure.log) to see so many attacks over SSH - primarily from from Asia (China, Korea, and India). Here's a small sample:
Nov 10 13:57:27 MacBook-Pro sshd[11704]: Invalid user admin from 208.51.155.141
Nov 10 13:57:28 MacBook-Pro sshd[11706]: Invalid user test from 208.51.155.141
Nov 10 13:57:29 MacBook-Pro sshd[11708]: Invalid user imaging from 208.51.155.141
Nov 10 13:57:31 MacBook-Pro sshd[11710]: Invalid user oracle from 208.51.155.141
Nov 10 19:20:41 MacBook-Pro sshd[12097]: Invalid user test from 218.1.65.233
Nov 10 19:20:45 MacBook-Pro sshd[12099]: Invalid user guest from 218.1.65.233
Nov 10 19:20:49 MacBook-Pro sshd[12101]: Invalid user admin from 218.1.65.233
Nov 10 19:20:53 MacBook-Pro sshd[12103]: Invalid user admin from 218.1.65.233
Nov 10 19:20:57 MacBook-Pro sshd[12105]: Invalid user user from 218.1.65.233
Nov 10 19:21:13 MacBook-Pro sshd[12116]: Invalid user test from 218.1.65.233
Nov 10 20:23:04 MacBook-Pro sshd[12152]: Invalid user apple from 125.16.216.69
Nov 10 20:23:09 MacBook-Pro sshd[12157]: Invalid user brian from 125.16.216.69
Nov 10 20:23:15 MacBook-Pro sshd[12162]: Invalid user andrew from 125.16.216.69
Nov 10 20:23:20 MacBook-Pro sshd[12167]: Invalid user newsroom from 125.16.216.69
Each attack would last between five and 20 minutes and they'd all go for the low hanging fruit such as common usernames and passwords. One solution is to simply change the SSH port from 22 to an obscure port.
I'll be keeping a close eye on those logs.
No comments:
Post a Comment