51

I'm seeing a lot of log entries that appear to be failed login attempts from unknown IP addresses.

I am using private and public keys to log in with SSH but I have noticed that even with private and public keys set I am able to log in to my server with filezilla without running pageant. Is this normal? What should I do to further protect myself from what seems like a brute force attack?

Heres the log:

Oct  3 14:11:52 xxxxxx sshd[29938]: Invalid user postgres from 212.64.151.233
Oct  3 14:11:52 xxxxxx sshd[29938]: input_userauth_request: invalid user postgres [preauth]
Oct  3 14:11:52 xxxxxx sshd[29938]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:52 xxxxxx sshd[29940]: Invalid user postgres from 212.64.151.233
Oct  3 14:11:52 xxxxxx sshd[29940]: input_userauth_request: invalid user postgres [preauth]
Oct  3 14:11:52 xxxxxx sshd[29940]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:52 xxxxxx sshd[29942]: Invalid user postgres from 212.64.151.233
Oct  3 14:11:52 xxxxxx sshd[29942]: input_userauth_request: invalid user postgres [preauth]
Oct  3 14:11:52 xxxxxx sshd[29942]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:52 xxxxxx sshd[29944]: Invalid user postgres from 212.64.151.233
Oct  3 14:11:52 xxxxxx sshd[29944]: input_userauth_request: invalid user postgres [preauth]
Oct  3 14:11:52 xxxxxx sshd[29944]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:52 xxxxxx sshd[29946]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:52 xxxxxx sshd[29948]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:52 xxxxxx sshd[29950]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:52 xxxxxx sshd[29952]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:53 xxxxxx sshd[29954]: Invalid user admin from 212.64.151.233
Oct  3 14:11:53 xxxxxx sshd[29954]: input_userauth_request: invalid user admin [preauth]
Oct  3 14:11:53 xxxxxx sshd[29954]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:53 xxxxxx sshd[29956]: Invalid user admin from 212.64.151.233
Oct  3 14:11:53 xxxxxx sshd[29956]: input_userauth_request: invalid user admin [preauth]
Oct  3 14:11:53 xxxxxx sshd[29956]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:53 xxxxxx sshd[29958]: Invalid user admin from 212.64.151.233
Oct  3 14:11:53 xxxxxx sshd[29958]: input_userauth_request: invalid user admin [preauth]
Oct  3 14:11:53 xxxxxx sshd[29958]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:53 xxxxxx sshd[29960]: User mysql not allowed because account is locked
Oct  3 14:11:53 xxxxxx sshd[29960]: input_userauth_request: invalid user mysql [preauth]
Oct  3 14:11:53 xxxxxx sshd[29960]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:53 xxxxxx sshd[29962]: User mysql not allowed because account is locked
Oct  3 14:11:53 xxxxxx sshd[29962]: input_userauth_request: invalid user mysql [preauth]
Oct  3 14:11:53 xxxxxx sshd[29962]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:53 xxxxxx sshd[29964]: Invalid user prueba from 212.64.151.233
Oct  3 14:11:53 xxxxxx sshd[29964]: input_userauth_request: invalid user prueba [preauth]
Oct  3 14:11:53 xxxxxx sshd[29964]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:53 xxxxxx sshd[29966]: Invalid user prueba from 212.64.151.233
Oct  3 14:11:53 xxxxxx sshd[29966]: input_userauth_request: invalid user prueba [preauth]
Oct  3 14:11:53 xxxxxx sshd[29966]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:53 xxxxxx sshd[29968]: Invalid user usuario from 212.64.151.233
Oct  3 14:11:53 xxxxxx sshd[29968]: input_userauth_request: invalid user usuario [preauth]
Oct  3 14:11:53 xxxxxx sshd[29968]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:54 xxxxxx sshd[29970]: Invalid user usuario from 212.64.151.233
Oct  3 14:11:54 xxxxxx sshd[29970]: input_userauth_request: invalid user usuario [preauth]
Oct  3 14:11:54 xxxxxx sshd[29970]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:54 xxxxxx sshd[29972]: Invalid user admin from 212.64.151.233
Oct  3 14:11:54 xxxxxx sshd[29972]: input_userauth_request: invalid user admin [preauth]
Oct  3 14:11:54 xxxxxx sshd[29972]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:54 xxxxxx sshd[29974]: Invalid user nagios from 212.64.151.233
Oct  3 14:11:54 xxxxxx sshd[29974]: input_userauth_request: invalid user nagios [preauth]
Oct  3 14:11:54 xxxxxx sshd[29974]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:54 xxxxxx sshd[29976]: Invalid user nagios from 212.64.151.233
Oct  3 14:11:54 xxxxxx sshd[29976]: input_userauth_request: invalid user nagios [preauth]
Oct  3 14:11:54 xxxxxx sshd[29976]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:54 xxxxxx sshd[29978]: Invalid user nagios from 212.64.151.233
Oct  3 14:11:54 xxxxxx sshd[29978]: input_userauth_request: invalid user nagios [preauth]
Oct  3 14:11:54 xxxxxx sshd[29978]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:54 xxxxxx sshd[29980]: Invalid user nagios from 212.64.151.233
Oct  3 14:11:54 xxxxxx sshd[29980]: input_userauth_request: invalid user nagios [preauth]
Oct  3 14:11:54 xxxxxx sshd[29980]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:54 xxxxxx sshd[29982]: Invalid user oracle from 212.64.151.233
Oct  3 14:11:54 xxxxxx sshd[29982]: input_userauth_request: invalid user oracle [preauth]
Oct  3 14:11:54 xxxxxx sshd[29982]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:54 xxxxxx sshd[29984]: Invalid user oracle from 212.64.151.233
Oct  3 14:11:54 xxxxxx sshd[29984]: input_userauth_request: invalid user oracle [preauth]
Oct  3 14:11:54 xxxxxx sshd[29984]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:54 xxxxxx sshd[29986]: Invalid user oracle from 212.64.151.233
Oct  3 14:11:54 xxxxxx sshd[29986]: input_userauth_request: invalid user oracle [preauth]
Oct  3 14:11:54 xxxxxx sshd[29986]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:55 xxxxxx sshd[29988]: Invalid user oracle from 212.64.151.233
Oct  3 14:11:55 xxxxxx sshd[29988]: input_userauth_request: invalid user oracle [preauth]
Oct  3 14:11:55 xxxxxx sshd[29988]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:55 xxxxxx sshd[29990]: Invalid user ftpuser from 212.64.151.233
Oct  3 14:11:55 xxxxxx sshd[29990]: input_userauth_request: invalid user ftpuser [preauth]
Oct  3 14:11:55 xxxxxx sshd[29990]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:55 xxxxxx sshd[29992]: Invalid user ftpuser from 212.64.151.233
Oct  3 14:11:55 xxxxxx sshd[29992]: input_userauth_request: invalid user ftpuser [preauth]
Oct  3 14:11:55 xxxxxx sshd[29992]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:55 xxxxxx sshd[29994]: Invalid user ftpuser from 212.64.151.233
Oct  3 14:11:55 xxxxxx sshd[29994]: input_userauth_request: invalid user ftpuser [preauth]
Oct  3 14:11:55 xxxxxx sshd[29994]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:55 xxxxxx sshd[29996]: Invalid user guest from 212.64.151.233
Oct  3 14:11:55 xxxxxx sshd[29996]: input_userauth_request: invalid user guest [preauth]
Oct  3 14:11:55 xxxxxx sshd[29996]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:55 xxxxxx sshd[29998]: Invalid user guest from 212.64.151.233
Oct  3 14:11:55 xxxxxx sshd[29998]: input_userauth_request: invalid user guest [preauth]
Oct  3 14:11:55 xxxxxx sshd[29998]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:55 xxxxxx sshd[30000]: Invalid user guest from 212.64.151.233
Oct  3 14:11:55 xxxxxx sshd[30000]: input_userauth_request: invalid user guest [preauth]
Oct  3 14:11:55 xxxxxx sshd[30000]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:55 xxxxxx sshd[30002]: Invalid user guest from 212.64.151.233
Oct  3 14:11:55 xxxxxx sshd[30002]: input_userauth_request: invalid user guest [preauth]
Oct  3 14:11:55 xxxxxx sshd[30002]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:56 xxxxxx sshd[30004]: Invalid user test from 212.64.151.233
Oct  3 14:11:56 xxxxxx sshd[30004]: input_userauth_request: invalid user test [preauth]
Oct  3 14:11:56 xxxxxx sshd[30004]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:56 xxxxxx sshd[30006]: Invalid user test from 212.64.151.233
Oct  3 14:11:56 xxxxxx sshd[30006]: input_userauth_request: invalid user test [preauth]
Oct  3 14:11:56 xxxxxx sshd[30006]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:56 xxxxxx sshd[30008]: Invalid user test from 212.64.151.233
Oct  3 14:11:56 xxxxxx sshd[30008]: input_userauth_request: invalid user test [preauth]
Oct  3 14:11:56 xxxxxx sshd[30008]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:56 xxxxxx sshd[30010]: Invalid user test from 212.64.151.233
Oct  3 14:11:56 xxxxxx sshd[30010]: input_userauth_request: invalid user test [preauth]
Oct  3 14:11:56 xxxxxx sshd[30010]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:56 xxxxxx sshd[30012]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:56 xxxxxx sshd[30014]: Invalid user user from 212.64.151.233
Oct  3 14:11:56 xxxxxx sshd[30014]: input_userauth_request: invalid user user [preauth]
Oct  3 14:11:56 xxxxxx sshd[30014]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:56 xxxxxx sshd[30016]: Invalid user user from 212.64.151.233
Oct  3 14:11:56 xxxxxx sshd[30016]: input_userauth_request: invalid user user [preauth]
Oct  3 14:11:56 xxxxxx sshd[30016]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:56 xxxxxx sshd[30018]: Invalid user user from 212.64.151.233
Oct  3 14:11:56 xxxxxx sshd[30018]: input_userauth_request: invalid user user [preauth]
Oct  3 14:11:56 xxxxxx sshd[30018]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:57 xxxxxx sshd[30020]: Invalid user user from 212.64.151.233
Oct  3 14:11:57 xxxxxx sshd[30020]: input_userauth_request: invalid user user [preauth]
Oct  3 14:11:57 xxxxxx sshd[30020]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:57 xxxxxx sshd[30022]: Invalid user jboss from 212.64.151.233
Oct  3 14:11:57 xxxxxx sshd[30022]: input_userauth_request: invalid user jboss [preauth]
Oct  3 14:11:57 xxxxxx sshd[30022]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:57 xxxxxx sshd[30024]: Invalid user jboss from 212.64.151.233
Oct  3 14:11:57 xxxxxx sshd[30024]: input_userauth_request: invalid user jboss [preauth]
Oct  3 14:11:57 xxxxxx sshd[30024]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:57 xxxxxx sshd[30026]: Invalid user squid from 212.64.151.233
Oct  3 14:11:57 xxxxxx sshd[30026]: input_userauth_request: invalid user squid [preauth]
Oct  3 14:11:57 xxxxxx sshd[30026]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:57 xxxxxx sshd[30028]: Invalid user squid from 212.64.151.233
Oct  3 14:11:57 xxxxxx sshd[30028]: input_userauth_request: invalid user squid [preauth]
Oct  3 14:11:57 xxxxxx sshd[30028]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:57 xxxxxx sshd[30030]: Invalid user temp from 212.64.151.233
Oct  3 14:11:57 xxxxxx sshd[30030]: input_userauth_request: invalid user temp [preauth]
Oct  3 14:11:57 xxxxxx sshd[30030]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:57 xxxxxx sshd[30032]: Invalid user svn from 212.64.151.233
Oct  3 14:11:57 xxxxxx sshd[30032]: input_userauth_request: invalid user svn [preauth]
Oct  3 14:11:57 xxxxxx sshd[30032]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Oct  3 14:11:57 xxxxxx sshd[30034]: Invalid user ts from 212.64.151.233
Oct  3 14:11:57 xxxxxx sshd[30034]: input_userauth_request: invalid user ts [preauth]
Oct  3 14:11:57 xxxxxx sshd[30034]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth]
Xander
  • 35,525
  • 27
  • 113
  • 141
mk_89
  • 621
  • 1
  • 6
  • 5

7 Answers7

65

It is very common. Many botnets try to spread that way, so this is a wide scale mindless attack. Mitigation measures include:

  • Use passwords with high entropy which are very unlikely to be brute-forced.
  • Disable SSH login for root.
  • Use an "unlikely" user name, which botnets will not use.
  • Disable password-based authentication altogether.
  • Run the SSH server on another port than 22.
  • Use fail2ban to reject attackers' IP automatically or slow them down.
  • Allow SSH connections only from a whitelist of IP (beware not to lock yourself out if your home IP is nominally dynamic !).

Most of these measures are about keeping your log files small; even when the brute force does not succeed, the thousands of log entries are a problem since they can hide actual targeted attacks. A bit of security through obscurity (such as the unlikely user name and the port change) works marvels against mindless attackers: yeah, security through obscurity is bad and wrong and so on, but sometimes it works and you will not get fried by a vengeful deity if you use it sensibly.

A high entropy password will be effective against intelligent attackers, though, and can only be recommended in all situations.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • I'd also add "SSH disallowed from internet" or "SSH only allowed from certain IP's". I only allow SSH to my home router from my internal IPs and my work IP address. – WernerCD Oct 03 '12 at 20:28
  • @WernerCD: DONE. – Thomas Pornin Oct 03 '12 at 20:34
  • 5
    Isn't a high entropy password the ultimate security by obscurity? :) – user Oct 04 '12 at 11:23
  • 3
    @MichaelKjörling: He. It's security by total darkness. Muuuuch better. (Seriously, though, the whole difference is quantification: if I can measure _how much_ it is secure, such as password entropy, then it is not "by obscurity".) – Thomas Pornin Oct 04 '12 at 11:25
  • 1
    @ThomasPornin Moving SSH to a random TCP port adds roughly 16 bits worth of entropy to any other security measures you have in place, since there are 16 bits available for each port (source and destination) in TCP. So it is definitely measurable. I suppose you could also argue that it adds more entropy in practice, since before the attacker gets that part right nothing else matters (you don't even know SSH is available). All this said, I still upvoted the answer because I felt it's a great run-down of possible options to help in the OP's situation. – user Oct 04 '12 at 11:32
  • 7
    @MichaelKjörling: unfortunately, it does not work so: entropy bits add up only when the secret data can only be attacked all in one go. With SSH, you can first locate the server by trying port values (a SSH server will respond with a banner). Once the SSH server is located, the passwords can be tried on that port, without bothering with the others. To get 16 bits of extra entropy, you must actually run 65000 fake SSH servers which are indistinguishable from the real one, except that they reject all passwords (mmh... that _could_ be done with _one_ fake sshd, and some iptables). – Thomas Pornin Oct 04 '12 at 12:31
  • @ThomasPornin Good point. – user Oct 04 '12 at 13:50
  • I'm a huge fan of what you mentioned - disabling password logins all-together. Force login by ssh key and then only generate "rsa 4096" or stronger keys. I recommend, additionally, adding google-authenticator to require multi-factor auth anytime a password would be used (sudo, for example). – josiah Sep 16 '17 at 22:04
10

The easiest and safest method to prevent unwanted access through SSH into your server will be to only allow SSH access to certain host.

This can be easily configured with TCP wrappers if you are using a linux server. Firewalls to restrict access will work as well.

Unlike the other answers, I do not think changing the default port of the ssh service is a good idea. Security by obscurity never works and it won't stop a targeted attack by a determined attacker. It also causes some usability issues in my experience.

If limiting SSH access to certain host isn't an option, blacklisting IP addresses where the attack is coming from might work as well. However, note that this will not be effective against attackers who use multiple IP addresses from other compromised machines to attack you.

  • Yes I have noticed that the IP addresses in my log file seems to vary but blacklisting IP addresses will surely put anyone off from attempting to brute-force – mk_89 Oct 03 '12 at 14:06
  • also I can not implement what you suggested in the first paragraph as I have a dynamic IP, I have to keep changing the ip address in the phpmyadmin apache.conf just to log in to phpmyadmin – mk_89 Oct 03 '12 at 14:08
5

There are a couple things you can do, and a couple of them it sounds like you're already doing, so that's good.

  1. Require a keyfile to log in.
  2. Don't run SSH on port 22. It's the first (and usually only) place a bot will look, and you can avoid 90% of these login attempts with a simple change to the SSHD config. [Edit: As Terry Chia rightly says, this is security through obscurity. It might keep your logs cleaner of bot entries, but it won't slow a human down one bit. If your system is still insecure, moving the insecurity to another port won't help.]
  3. Use something like Fail2ban. It monitors your logs and can add firewall rules to drop packets from any address that fails login too many times.
  4. If possible, only allow access from whitelisted IPs.

Ultimately, if you have a service like SSH accepting packets from the wider internet, there's nothing you can do to stop people attempting to attack it. Once you're satisfied that you've taken suitable precaution, log entries such as that should be noted but ultimately treated as background noise.

OtisBoxcar
  • 346
  • 1
  • 5
  • They all seem like sound ideas however since im actually running a website 4. would not be possible to implement. I only enable normal ssh login when I have to upload files using dreamweaver which is a pain. – mk_89 Oct 03 '12 at 14:03
  • Given what you've said, then, I recommend looking into something like Fail2ban. Something to keep the wolves at bay while you aren't there to manually block every IP. – OtisBoxcar Oct 03 '12 at 14:18
4

Having an SSH port open is definitely prone to this kind of attacks since there are so many Bots out there trying to scan for open SSH ports and launching such brute force attacks with an aim to get in one. There will obviously be a problem if you have used default SSHD settings, and allowing password based connections. Thankfully you have not. I believe that changing your default port for listening on your SSHD will definitely reduce the number of attempts since most scanners look for open port 22. This is 'security by obscurity' and is definitely not a recommended fix. But it will fix your current problem, until someone with more experience provides a better solution.

sudhacker
  • 4,260
  • 5
  • 23
  • 34
4

Or use the Blacklist from http://www.blocklist.de/en/export.html and report all new attackers.

Import the ssh.txt and block all IPs that have been reported to the blacklist in the last 48 hours on ssh-attack or block them with fail2ban and report them automatically to their ISP. Iptables-blocklist-script are in the forum available to download.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Martin
  • 41
  • 2
  • 5
    welcome to [security.se] - please see the [FAQ], it is considered bad form not to disclose your connection with a website you're advertising... which should not be at all the point of an answer, of course - see [answer]. Your answer could be much better if you explain how using this website would help the OP, instead of just dropping a link. And, please disclose your affiliation. – AviD Oct 04 '12 at 15:52
1

Because I find these SSH requests and the reams of logs they generate to be an annoying waste of system resources, I use port knocking. The SSH port is only visible to hosts from which sequence of knocks is received. To other hosts, it appears as if there is no SSH service on that machine.

Port knocking is a little inconvenient in that to use it reliably over long-haul networks with variable lag, you really need a dedicated client program to send the knock sequence. Also, you may find yourself in some network which blocks outgoing traffic to some of the port numbers which you've chosen in your port knock sequence.

Instead of port knocking, you can implement web knocking. If the machine is running a public a web server, you can put a tiny little web application (under a URL that only you know) such that if you browse that URL and put some correct value into a form and submit it, it will open up the port.

Kaz
  • 2,303
  • 16
  • 17
  • 1
    Port knocking is [security by obscurity](http://security.stackexchange.com/a/1198/3644). Use ssh keys and fail2ban instead. – Martin Schröder Oct 03 '12 at 23:07
  • 2
    The argument that port knocking is security by obscurity is sheer twaddle (because it implies that port knocking is security, which it isn't). Although the knock sequence is a sort of password, there is no significant elevation in privilege when it is used. If you obtain the sequence, you have not gained access to anything important, only the ability to talk to a port (something that many servers already leave open). It cannot be compared to a cleartext password that gives you a shell prompt. – Kaz Oct 03 '12 at 23:44
  • 1
    So, if, say, 0.01% of the crackers out there guess my port knock sequence, I don't care. They're not getting in, and the other 99.99% haven't guessed it. That still keeps my syslog cleaner and my machine more quiescent than if I didn't have the knocking. – Kaz Oct 03 '12 at 23:47
  • `fail2ban` looks cool. I've done that sort of thing with scripts hooked into Apache. It looks like my kind of program. – Kaz Oct 03 '12 at 23:52
0

Regarding your filezilla/pagaent question: the short answer is yes, that is normal. I would call it an unintended side-effect. Based on my experience if you use putty, setup the private key there (Connection, SSH, Auth), & save the session that will be stored in the registry. If you name the 'Site' in filezilla the same as you did the session in putty, filezilla looks at that registry for putty & uses it

I spoke in their forums about this (mostly in context of using password protected keys)

gregg
  • 283
  • 2
  • 3
  • 7