sshd un-authorized access attempts

Posted on 2006-04-12
Medium Priority
Last Modified: 2010-04-18

we have a hosted dedicate server running 2003 and iis6, it is mainly used for hosted our website that we use. we have a small company therefore I keep and eye on the server even though I am the web developer...

I have noticed in the app log in event viewer similiar ip addresses are hitting our server with similiar error codes:

Illegal user 1 from 216.xxx.xxx.xxx
sshd : PID 3216 : input_userauth_request: illegal user 1.
sshd : PID 3216 : Failed password for illegal user 1 from 216.xxx.xxx.xxx port 50739 ssh2.

ther is about a hundred of these a night sometimes from different ip addresses and the user names tried are different
eg root, guest etc...

I would like to know if there is a way to stop any services that allows ssh2 or sshd  access on the server. We user remote desktop to connect and sometimes vnc. I have taken a look through the service console and cannot work out which serveices it is, or if there is just nothing to worry about at all. Rather be safe than sorry...

Question by:deanvanrooyen
  • 3
LVL 22

Expert Comment

ID: 16438560
Is this box behind a firewall?  If so I would block port 50739.  If not I would consider putting a firewall in front of it or at least using the Windows firewall and provide exceptions just for RD(3389), VnC(5900), and what you need for web (at least 80).
LVL 12

Author Comment

ID: 16439093

this is a hosted server so it runs like in a dmz, I cannot start blocking ports because the soruce potr keeps changinf, I need to try and stop the service(if anything is running that allows this access), i jsut think it might be the remote access service for remote desktop
LVL 22

Expert Comment

ID: 16439693
I am guessing you have an SSH (Secure Shell Host) dameon running on this server somewhere.  SSH is not native to Windows so if there is one installed you would probably see it under Add/Remove programs.

In your task manager do you see anything on the processes tab with the name SSHD?
LVL 22

Accepted Solution

mcsween earned 1000 total points
ID: 16439715
Are you running Cygwin tools on this server?

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Learn about cloud computing and its benefits for small business owners.
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Loops Section Overview

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question