[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSH Attacks - What to do?



Tim McDonough wrote:

> In reviewing the logs on my Linux server I see that for today and much 
> of yesterday someone has a machine set up that's trying to log in 
> every few seconds via SSH. They have had no success so far. Here's a 
> snippet of the message log, the file is huge with these things. (The 
> last two entries are me doing legitimate work.)
>
> Jul 27 04:45:33 merlin sshd(pam_unix)[14815]: check pass; user unknown
> Jul 27 04:45:33 merlin sshd(pam_unix)[14815]: authentication failure; 
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=216.193.235.216
>
> Jul 27 04:45:37 merlin sshd(pam_unix)[14817]: check pass; user unknown
> Jul 27 04:45:37 merlin sshd(pam_unix)[14817]: authentication failure; 
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=216.193.235.216
>
> Jul 27 12:04:50 merlin samba(pam_unix)[14923]: session opened for user 
> tim by (uid=0)
>
> Jul 27 14:21:28 merlin ftpd[14943]: wu-ftpd - TLS settings: control 
> allow, client_cert allow, data allow
> Jul 27 14:21:34 merlin ftpd[14943]: FTP session closed
>
> For the time being I've shut off the ports in the little home gateway 
> but that's not a good long term solution. My son and I both use the 
> box remotely to access files for school and work.
>
> Is there any way to stop this? Do I just depend on password security 
> or are there other tools I can readily apply to help?
>
> I'd really like to stop it before it gets past the gateway. We have 
> metered wireless DSL service and if they are persistent enough it 
> could end up costing me money just for the failed attempts.
>
A number of things you can do:

1.) Set up public and private keys for you and your son and only allow 
public-key authentication.  See the OpenSSH documentation or contact me 
off-line for help with that.

2.) Set SSH to use a different port (e.g. 2022).  This won't completely 
prevent SSH scans but it will sure lessen them.

3.) Put an "AllowUsers user1 user2 .." line in your /etc/ssh/sshd_config 
file to only allow specific users to your system.

That's all I can think of at the moment.  There's probably more.  Hope 
that helps!

Jim

-- 
Jim Buitt
Independent Computer Consultant
St. Louis Metro East Area
Glen Carbon, IL 62034
Phone: 618-659-8741
Cell: 314-324-2515
URL: http://www.straightforwardconsulting.com
E-Mail: jbuitt@silmin.org


-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.