If spam wasn't enough, my machines are also getting hit by hackers trying to get through the sshd port:
I've installed denyhost, let's hope that it can work to cut back on some of this nonsense.Jun 5 00:35:31 kyoto sshd[59150]: Invalid user prueba from 62.27.42.80 Jun 5 00:35:32 kyoto sshd[59152]: Invalid user postgres from 62.27.42.80 Jun 5 00:35:32 kyoto sshd[59154]: Invalid user postgres from 62.27.42.80 Jun 5 00:35:33 kyoto sshd[59156]: Invalid user postgres from 62.27.42.80 Jun 5 00:35:34 kyoto sshd[59158]: Invalid user postgres from 62.27.42.80 Jun 5 00:35:34 kyoto sshd[59160]: Invalid user postgres from 62.27.42.80 Jun 5 00:35:35 kyoto sshd[59162]: Invalid user postgres from 62.27.42.80 Jun 5 00:35:36 kyoto sshd[59164]: Invalid user postgres from 62.27.42.80 Jun 5 00:35:37 kyoto sshd[59170]: Invalid user postgres from 62.27.42.80 Jun 5 00:35:37 kyoto sshd[59172]: Invalid user postgres from 62.27.42.80 Jun 5 00:35:38 kyoto sshd[59174]: Invalid user postgres from 62.27.42.80 Jun 5 00:35:39 kyoto sshd[59176]: Invalid user hadoop from 62.27.42.80 Jun 5 00:35:39 kyoto sshd[59178]: Invalid user hadoop from 62.27.42.80 Jun 5 00:35:40 kyoto sshd[59180]: Invalid user hadoop from 62.27.42.80 Jun 5 00:35:41 kyoto sshd[59182]: Invalid user hadoop from 62.27.42.80
According to whatismyipaddress, the hackers are from Germany and China!
Hostname: 62.27.42.80 ISP: nacamar GmbH Organization: ecotel communication AG (extern) Proxy: None detected Type: Corporate Assignment: Static IP Hostname: 218.87.16.140 ISP: Data Communication Division Organization: CHINANET Jiangxi province network Proxy: None detected Type: Broadband Assignment: Static IP Blacklist:
Yay! Cut down considerably on the sshd attacks. They were coming from just a few IPs (interestingly, all over the world, most probably a zombie army):
kyoto:data karen$ more hosts-restricted
108.16.139.210:95:Sun Jun 12 00:14:50 2011
113.105.159.162:3:Sun Jun 12 00:14:51 2011
119.62.128.115:0:Sun Jun 12 00:15:53 2011
121.9.206.64:156:Sun Jun 12 00:15:42 2011
123.13.201.202:6:Sun Jun 12 00:14:50 2011
123.232.6.120:148:Sun Jun 12 00:14:51 2011
128.95.92.201:2:Sun Jun 12 00:15:54 2011
129.10.105.77:2:Sun Jun 12 00:15:54 2011
173.201.36.48:52:Sun Jun 12 00:15:53 2011
182.18.24.7:28:Sun Jun 12 00:14:50 2011
186.3.71.250:4:Sun Jun 12 00:15:54 2011
190.208.34.228:7:Sun Jun 12 00:15:53 2011
201.56.254.145:1:Sun Jun 12 00:14:50 2011
202.131.105.99:2:Sun Jun 12 00:15:54 2011
208.79.211.112:0:Thu Jun 9 14:56:14 2011
211.136.163.126:1014:Sun Jun 12 00:15:42 2011
211.143.168.60:0:Sun Jun 12 00:14:50 2011
217.149.195.108:3:Sun Jun 12 00:14:51 2011
218.64.53.176:235:Sun Jun 12 00:14:50 2011
218.87.16.140:24:Sun Jun 12 00:15:54 2011
220.225.226.91:0:Sun Jun 12 00:15:54 2011
221.2.163.252:3:Sun Jun 12 00:14:51 2011
222.106.248.24:0:Sun Jun 12 00:14:50 2011
41.241.220.103:0:Sat Jun 11 23:49:48 2011
46.246.111.28:38:Sun Jun 12 00:15:53 2011
46.4.76.168:9:Sun Jun 12 00:14:50 2011
49.212.44.104:28:Sun Jun 12 00:14:50 2011
61.177.191.219:0:Sun Jun 12 00:15:53 2011
61.19.213.42:20:Sun Jun 12 00:14:50 2011
62.27.42.80:46:Sun Jun 12 00:15:53 2011
64.50.172.184:0:Sun Jun 12 00:15:53 2011
71.234.233.130:0:Sat Jun 11 23:27:17 2011
77.247.158.162:2:Sun Jun 12 00:14:50 2011
80.69.92.87:241:Sun Jun 12 00:14:51 2011
88.190.17.174:10:Sun Jun 12 00:15:53 2011
88.191.137.219:2:Sun Jun 12 00:14:50 2011
94.102.1.81:4:Sun Jun 12 00:14:50 2011
95.142.51.22:7:Sun Jun 12 00:14:50 2011
97.74.206.32:8:Sun Jun 12 00:14:50 2011
One hacker (211.136.163.126) is in Shanghai, China and was responsible for over a 1000 break-in attempts!
I'll have to post the configuration instructions for denyhost as they were different on Mac OSX 10.6 than the ones on the web.
p.s. The creator of denyhost was hacked by a ssh breakin, read his story here: http://denyhosts.sourceforge.net/hack_tale.html