[ILUG] Breakins attempted - advice please

[John Allen]

I'm using shorewall, and the following line in my rules file practially 
stopped all the brute force attacks

ACCEPT        all    $FW        tcp    ssh        -    -    8/min:2

John Kinsella wrote:
> Hi,
> no flames please!
>
> I'm being regularly subjected to what appear to auth.log (and me) to 
> be attempted breakins on my office desktop machine (Ubuntu Hearty 
> Heron with Firestarter firewall)
> e.g.
>
> ==============8<===========
> Aug 27 11:56:18 jkcray sshd[15664]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=200.78.212.68  user=root
> Aug 27 11:56:20 jkcray sshd[15664]: Failed password for root from 
> 200.78.212.68 port 34256 ssh2
> Aug 27 11:56:22 jkcray sshd[15666]: reverse mapping checking 
> getaddrinfo for na-200-78-212-68.na.avantel.net.mx [200.78.212.68] 
> failed - POSSIBLE BREAK-IN ATTEMPT!
> Aug 27 11:56:22 jkcray sshd[15666]: Invalid user magazine from 
> 200.78.212.68
> Aug 27 11:56:22 jkcray sshd[15666]: pam_unix(sshd:auth): check pass; 
> user unknown
> Aug 27 11:56:22 jkcray sshd[15666]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=200.78.212.68
> Aug 27 11:56:24 jkcray sshd[15666]: Failed password for invalid user 
> magazine from 200.78.212.68 port 34486 ssh2
> ==============8<===========
>
> I'd like to keep sshd running so I can log in from home.
>
> Other than changine firewall settings to block all but my ISP's IP 
> addresses for access via ssh is there anything else that I should be 
> looking at?
>
> Thanks
>
> John
>