SSH attacks

[QatQat]

Hi there,


two of my servers receive thousands of SSH login attempts on a daily basis.
From the log it looks like someone is trying to use a wordlist based software.

How do I stop them from even trying?

Would it have an effect if I redirect my SSH post to something else less known?

Thanks

QatQat

Life is what happens when you are making other plans.

 

[TrojanWarBlade]

I know the feeling. I have the same problem and am in the process of trying to deal with it myself.

Firstly, I suggest that you ensure that "root" is blocked for login. Any legitimate user that needs "root" can "su" to "root".

Next you can reduce the number of login retries that are allowed before a "cooling off" period.

You can create secure keys that are shared with trusted user machines and configure ssh to require that before login as well as the password. This step should seriously harden your protection but will obviously not reduce the hammering the machines get.

Finally, there are tools that you can google for (sorry, I can't remember what they're called) that will watch your log files and will use iptables to block ip addresses of machines that continually attempt to login and fail. Also you could tweak this to immediately lockout any ip that attempts to login as root.

I'm sure there are many other steps you could take as well but I hope this gives you a starting point.


Trojan.

 

[PcLinuxGuru]

All my security material is at work but I do recall a cool little program called PortWatch or something to that effect. It basically watched all your services and when something like that occurs it can do a multitude of things like block the offending IP by adding it to IPtables...

A good security related site you may want to ask at is

http://www.anti-online.com

But if the IP is the same and you have all your logs I would simply block it and send the logs to their upstream.

 

[marsd]

There are plenty of tools to deal with this kind of thing.
Hell, writing one based on log notices or the pcap library wouldn't be too tough.

 

[Trevoke]

Here's one, make sure your servers are not pingable, that'll reduce your problems tremendously.

-Haben sie fosforos?
-No tiengo caballero, but I have un briquet.

 

[thedaver]

Change your port, block pings = good start. You can get fancy after that

D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[BitFuzzy]

to stop them dead block the port via your firewall, allowing only the IP's of those you wish to connect

 

[TrojanWarBlade]

Not so easy if they're on dynamic IP.


Trojan.

 

[BitFuzzy]

not if you only allow local traffic

 

[jstreich]

- Changing port number is often a good idea
- Find out what service provider for the IPs and notify them
- Allow only trusted IPs if at all possible
- Require a key (something along the lines of kerberos) of some kind

[plug=shameless]

http://game-master.us/phpx-3.4.0/

[/plug]

 

[Headmaster]

I disabled all ping responses on my server and turned off sshd via webmin. I use webmin to turn the service on and off as needed... Now, is webmin secure? :~/

 

[BitFuzzy]

as long as you didn't use a really bad password for the admin password yes

 

[QatQat]

Thanks everyone for your suggestions.


Now, at the time of my posting I tried to change the port and I have not had attackes since.
So I am feeling a bit more relieved.

I will also follow some of the tips, like stopping ping.


Thanks to all of you for your time.


Qatqat

Life is what happens when you are making other plans.

 

[rliebsch]

hosts.deny
ALL:ALL
hosts.allow
sshd:your.ip.add.ress



Robert Liebsch
Stone Yamashita Partners

http://www.stoneyamashita.com/