Atualmente temos um ASN, porém em poucos dias de uso já recebemos notificações de um determinado IP atacando via SSH um site. Quais as medidas cabíveis? bloqueio o acesso ssh de clientes?
Dear Sir/Madam,
we have detected abuse from the IP address 170.xx.xxx.90, which according to a
whois lookup is on your network. We would appreciate if you would investigate
and take action as appropriate.
Log lines are given below, but please ask if you require any further information.
If you are not the correct person to contact about this please accept our apologies -
your e-mail address was extracted from the whois record by an automated process.
This mail was automatically generated.
Note: Local timezone is +0100 (CET)
Jan 14 13:43:54 xxx sshd[1571]: Invalid user secret from 170.xx.xxx.90
Jan 14 13:43:54 xxx sshd[1571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=170.xx.xxx.90
Jan 14 13:43:55 xxx sshd[1571]: Failed password for invalid user secret from 170.xx.xxx.90 port 49381 ssh2
Jan 14 13:43:58 xxx sshd[1571]: Failed password for invalid user secret from 170.xx.xxx.90 port 49381 ssh2
Jan 14 13:44:00 xxx sshd[1571]: Failed password for invalid user secret from 170.xx.xxx.90 port 49381 ssh2
Jan 14 13:44:03 xxx sshd[1571]: Failed password for invalid user secret from 170.xx.xxx.90 port 49381 ssh2