sshd un-authorized access attempts


we have a hosted dedicate server running 2003 and iis6, it is mainly used for hosted our website that we use. we have a small company therefore I keep and eye on the server even though I am the web developer...

I have noticed in the app log in event viewer similiar ip addresses are hitting our server with similiar error codes:

Illegal user 1 from
sshd : PID 3216 : input_userauth_request: illegal user 1.
sshd : PID 3216 : Failed password for illegal user 1 from port 50739 ssh2.

ther is about a hundred of these a night sometimes from different ip addresses and the user names tried are different
eg root, guest etc...

I would like to know if there is a way to stop any services that allows ssh2 or sshd  access on the server. We user remote desktop to connect and sometimes vnc. I have taken a look through the service console and cannot work out which serveices it is, or if there is just nothing to worry about at all. Rather be safe than sorry...

LVL 12
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mcsweenSr. Network AdministratorCommented:
Is this box behind a firewall?  If so I would block port 50739.  If not I would consider putting a firewall in front of it or at least using the Windows firewall and provide exceptions just for RD(3389), VnC(5900), and what you need for web (at least 80).
deanvanrooyenAuthor Commented:

this is a hosted server so it runs like in a dmz, I cannot start blocking ports because the soruce potr keeps changinf, I need to try and stop the service(if anything is running that allows this access), i jsut think it might be the remote access service for remote desktop
mcsweenSr. Network AdministratorCommented:
I am guessing you have an SSH (Secure Shell Host) dameon running on this server somewhere.  SSH is not native to Windows so if there is one installed you would probably see it under Add/Remove programs.

In your task manager do you see anything on the processes tab with the name SSHD?
mcsweenSr. Network AdministratorCommented:
Are you running Cygwin tools on this server?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.