[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSH Attacks - What to do?



Tim McDonough wrote:
> 
> In reviewing the logs on my Linux server I see that for today and much 
> of yesterday someone has a machine set up that's trying to log in 
> every few seconds via SSH. They have had no success so far. Here's a 
> snippet of the message log, the file is huge with these things. (The 
> last two entries are me doing legitimate work.)
> 
> Jul 27 04:45:33 merlin sshd(pam_unix)[14815]: check pass; user unknown
> Jul 27 04:45:33 merlin sshd(pam_unix)[14815]: authentication failure; 
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=216.193.235.216
> 
> Jul 27 04:45:37 merlin sshd(pam_unix)[14817]: check pass; user unknown
> Jul 27 04:45:37 merlin sshd(pam_unix)[14817]: authentication failure; 
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=216.193.235.216
> 
> Jul 27 12:04:50 merlin samba(pam_unix)[14923]: session opened for user 
> tim by (uid=0)
> 
> Jul 27 14:21:28 merlin ftpd[14943]: wu-ftpd - TLS settings: control 
> allow, client_cert allow, data allow
> Jul 27 14:21:34 merlin ftpd[14943]: FTP session closed
> 
> For the time being I've shut off the ports in the little home gateway 
> but that's not a good long term solution. My son and I both use the 
> box remotely to access files for school and work.
> 
> Is there any way to stop this? Do I just depend on password security 
> or are there other tools I can readily apply to help?
> 
> I'd really like to stop it before it gets past the gateway. We have 
> metered wireless DSL service and if they are persistent enough it 
> could end up costing me money just for the failed attempts.

Tim,

You can do any of the things others have suggested, or you can trust the
inherent strength of the SSH service and do nothing. This is what I've
done for a dedicated nameserver running "in the wild", as it were, under
RHAS v2.1 for the past three years out in front of a firewall.

The secrets to its continuing survival are simple: (1) keep the number
of logon accounts to the barest minimum, (2) require those accounts to
use the strongest passwords their owners can remember, (3) keep the
system up2date, and (4) turn off all unnecessary services. The only
active externally visible services on that DNS machine are ssh and
named.

Since 1992 the /var/log/messages files have dutifully logged the IP
addresses of tens of thousands of script-kiddie hacker wannabees lured
by active ports 22 and 53. Time has proved that they can huff and puff
until they faint dead away, but they'll never get in.

-- Doc
Robert G. (Doc) Savage, BSE(EE), CISSP, RHCE | Fairview Heights, IL
Fedora Core 4 kernel 2.6.12-1.1398_FC4 on a P-III/M IBM Thinkpad A22p
            ** Bob Costas for Baseball Commissioner **


-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.