Jerry Geis wrote: > I have quite a few entries in /var/log/messages for connection > attempts. Is there anything other > than ignoring them I can do? Example is below. > > Aug 21 15:48:19 machine sshd(pam_unix)[17903]: check pass; user unknown > Aug 21 15:48:19 machine sshd(pam_unix)[17903]: authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= > rhost=wsip-24-234-149-156.lv.lv.cox.net > Heh. Welcome to the club. If you've got a well connected machine, and it's listening on any ports, you'll get these. I sometimes get 100-200k logwatch reports and it's all idiots trying to run dictionary attacks against ssh. It comes in waves. Some days I don't get any. All you can really do is filter the naughty IP addresses, but that doesn't really do a whole lot of good since they rarely come from the same place twice. Back in the days when this was so common, I'd make an effort to find the netblock owner and warn them that one of their machines had been compromised, but that's not even worth the effort anymore. A lot of times, it's from some big ISP who just drops those complaints on the floor...especially if it's in the far east. Cheers,