Port 22 (SSH) Attack Daily!!!!

[Aloco44]

I have a MBP (S.L 10.6.5) that I use for work/home purposes. I'm using Doorstop X/Who's There? and Little Snitch for internet security. For the last couple of days my Who's There app is showing that someone is trying to remotely access my MBP, threw Port 22.

Here are the details: (RED FLAG) 70.32.68.18 (IP), n18.c05.mtsvc.net (Host Name). WHOIS, shows the location somewhere off the cost of Africa.

Access is denied, but the attacks still proceed. Every time I restart my MBP, as soon as it boots the first attack appears. There are only a few attacks (2-4) depending on the time I'm on the internet. The Attacks only happen on my home network, not on my office network. I use an Airport Extreme (Latest Model) at home.

Even though access is denied, it's still irritating!! What can I do to stop this attacker and future ones? Information greatly appreciated, thank you.

 

[Raz0rEdge]

How are you connecting to the Internet? If you are going through a router then the firewall in there should prevent access to your machine which should be on a local IP address that is inaccessible from the external world..

Routine attacks on standard Internet ports are VERY common and there's no real way of preventing it since the attacker isn't really targeting you but rather a large number of IP's in a particular range to see which one they can get access to.

Regards

 

[Aloco44]

I'm connecting with a Comcast router/Apple Airport Extreme.

 

[IvanLasston]

Is the Comcast router doing the routing/firewall or is the Extreme? Do you have port 22 open in your firewall?

Do you need ssh on - on your mac?

As Raz0rEdge has said - it is really a bunch of scripts that are hitting port 22 because it is so common, and so much can be done if you get in on port 22.

If you need ssh open then there are a few things you can do to help decrease the chances of getting hit like installing denyhosts.

 

[Aloco44]

Extreme is doing the FW; and no, Port 22 is not open, don't really need it open. Would changing my IP help, because my IP is different at work; I'm only being attacked at home. So, obviously he/them have that IP (home). Should I change to a static address?

 

[IvanLasston]

Can you see where the hits are coming from? There really shouldn't be anything passing through your firewall. Are the port 22 hits coming from an internal ip address or is it an internet address? Meaning could someone have hopped onto your wifi - then try to attack your computers? It also could be another machine got hacked and they are using that to search for vunerable machines inside your network.