[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SSH Attacks - What to do?
Tim McDonough wrote:
> In reviewing the logs on my Linux server I see that for today and much
> of yesterday someone has a machine set up that's trying to log in
> every few seconds via SSH. They have had no success so far. Here's a
> snippet of the message log, the file is huge with these things. (The
> last two entries are me doing legitimate work.)
>
> Jul 27 04:45:33 merlin sshd(pam_unix)[14815]: check pass; user unknown
> Jul 27 04:45:33 merlin sshd(pam_unix)[14815]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=216.193.235.216
>
> Jul 27 04:45:37 merlin sshd(pam_unix)[14817]: check pass; user unknown
> Jul 27 04:45:37 merlin sshd(pam_unix)[14817]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=216.193.235.216
>
> Jul 27 12:04:50 merlin samba(pam_unix)[14923]: session opened for user
> tim by (uid=0)
>
> Jul 27 14:21:28 merlin ftpd[14943]: wu-ftpd - TLS settings: control
> allow, client_cert allow, data allow
> Jul 27 14:21:34 merlin ftpd[14943]: FTP session closed
>
> For the time being I've shut off the ports in the little home gateway
> but that's not a good long term solution. My son and I both use the
> box remotely to access files for school and work.
>
> Is there any way to stop this? Do I just depend on password security
> or are there other tools I can readily apply to help?
>
> I'd really like to stop it before it gets past the gateway. We have
> metered wireless DSL service and if they are persistent enough it
> could end up costing me money just for the failed attempts.
>
A number of things you can do:
1.) Set up public and private keys for you and your son and only allow
public-key authentication. See the OpenSSH documentation or contact me
off-line for help with that.
2.) Set SSH to use a different port (e.g. 2022). This won't completely
prevent SSH scans but it will sure lessen them.
3.) Put an "AllowUsers user1 user2 .." line in your /etc/ssh/sshd_config
file to only allow specific users to your system.
That's all I can think of at the moment. There's probably more. Hope
that helps!
Jim
--
Jim Buitt
Independent Computer Consultant
St. Louis Metro East Area
Glen Carbon, IL 62034
Phone: 618-659-8741
Cell: 314-324-2515
URL: http://www.straightforwardconsulting.com
E-Mail: jbuitt@silmin.org
-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.