Re: How to display IP of ssh user in message?

[mark <whitroth cfl rr com>]

> Subject: RE: How to display IP of ssh user in message? 
> From: Ryan Golhar <golharam umdnj edu>
> Date: Tue, 03 May 2005 16:27:23 -0400
> In-reply-to: 
> <462170B0EBFCFE4AB1E54ED8C269A5BC011837D9 PHLVEXCH01 genexservices com>
>  Reply-To: golharam umdnj edu, General Red Hat Linux discussion list
>  <redhat-list redhat com> Message-ID: 
> <004e01c5501e$83632140$9900a8c0 GOLHARMOBILE1> MIME-Version: 1.0 
 >
> We get attacks nightly.  Last night, there were 500+ attempts logins
> to root through ssh.  All from the same IP address.
>
> The warning banner doesn't do much good...I could call theplanet.com
> but then I'd be calling different ISP's almost daily because of the
> attacks.

Actually, I don't believe it's from theplanet.com.
<snip>
> > sshd: Invalid Users: Unknown Account: 602 Time(s) Authentication
> > Failures: xfs (138.67-18-71.reverse.theplanet.com ): 1 Time(s) root
> > (nitrogen.umdnj.edu ): 1 Time(s) root
> > (138.67-18-71.reverse.theplanet.com ): 1 Time(s) unknown
> > (138.67-18-71.reverse.theplanet.com ): 595 Time(s) unknown
> > (218.153.147.92 ): 6 Time(s) daemon
> > (138.67-18-71.reverse.theplanet.com ): 1 Time(s) root
> > (218.153.147.92 ): 3 Time(s) rpc
> > (138.67-18-71.reverse.theplanet.com ): 1 Time(s) unknown
> > (10.136.16.244 ): 1 Time(s) smmsp
> > (138.67-18-71.reverse.theplanet.com ): 1 Time(s)

The numbers look like an IP, and I did a whois both forward 
(138.67.18.71) and (71.18.67.138), and both are the Colorado School of 
Mines. I suspect a student or ex-student.

	mark