Hello,
I have a small inquiry.
Sometimes, my good friend, Charlie Root, sends me security notifications that a possible breakin attempt has occured. It looks like this:
Oct 29 06:58:17 cigva sshd[<random port>]: reverse mapping checking getaddrinfo for 180.144.164.220.broad.sm.yn.dynamic.163data.com.cn [220.164.144.180] failed - POSSIBLE BREAK-IN ATTEMPT!
(goonet.info is probably the worst culprit yet on my system with downright spamming).
As far as I can see, that connection is not one I'd want to allow. I do not recognize any of the IP adresses above. My system rejects it but I would like to add a bit extra to help get rid of these would-be hackers.
Does any of you know what people are actually trying to do? Are they scanning for SSH connections to abuse or...?
Is it possible to either:
-
Prevent this from being able to be done every second (i.e. increase it to a 10 seconds delay between the attempts on <whatever he is doing>?
-
Can you deny logon for specified time from a given IP if several login attempts from that IP is made (ex. >= 3 failed)?
Thanks,
Klaus 