Hi,I spotted this going on with my system very early on, being a keen observer of my logs.
To remedy this, I currently have a block on sshd of ALL users on my system except a random one. That user account has a pretty secure password which is not likely to fall victim to a dictionary attack.
Just to make sure that it doesn't get dictionaried particularly much (I was noting some 180 - 300 attempts per host at cracking sshd before the next fix I put in place), I installed Blockhosts python script and set it up to be particularly harsh. I now allow only 3 failed attempts from any single IP outside my LAN, before blocking the IP for a significant period of time. I am currently blocking 11 hosts, though have been blocking as many as 30. So, other than the hosts that stopped before 3 attempts, I've managed to reduce my attacks by between 99 and 99.5 % of the total number that would have been reaching sshd otherwise. I have had no attacks attempted against that account at all, meaning that every single attack that had been attempted before being blocked couldn't have succeeded anyway.
Blockhosts can be found at http://www.aczoom.com/cms/blockhosts/I had to install Python 2.4 from pkgsrc before being able to get this to work. At some point, I'll be certain to look into the next step of linking this in with ipfilter (and setting up ipfilter), on the grounds that it would be nice to stop ANY communication coming in from these hosts once they've tried to break my system.
Hope that's of some help?On the side against dealing with a broken system, I believe the general advice given here has been to rebuild from scratch. As inconvenient as it is, I have to agree with this. There simply is no possible way to be certain what has been done to a system once it is believed to have been compromised.
Steve
http://fail2ban.sourceforge.net/ or similar ? (not tried it myself) Any other suggestions ?How about using pkgsrc/security/pam-af ? -- "Of course I love NetBSD":-) OBATA Akio / obache%NetBSD.org@localhost