[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSH Attacks - What to do?

On Jul 30, 2005, at 8:30 PM, SILUG25 wrote:

> On Sat, 30 Jul 2005 20:17:49 -0500, Steven Pritchard wrote
>> On Wed, Jul 27, 2005 at 03:19:21PM -0500, Tim McDonough wrote:
>>> In reviewing the logs on my Linux server I see that for today and  
>>> much
>>> of yesterday someone has a machine set up that's trying to log in
>>> every few seconds via SSH. They have had no success so far. Here's a
>>> snippet of the message log, the file is huge with these things. (The
>>> last two entries are me doing legitimate work.)
>> [...]
>> I just noticed something like 55k failed login attempts on one of my
>> few systems that has sshd open to the world.  Unfortunately, I can't
>> cut off access to that system, and it would be somewhat painful to
>> disallow password authentication in general.  There seems to be
>> another alternative though:
>>   PermitRootLogin without-password
>> Despite how it sounds, that appears to disable password  
>> authentication
>> for root, but nobody else.
>> Steve
> In /etc/ssh/sshd_config, I use the "AllowUsers" option, like this:
>      AllowUsers fred, barney, wilma, betty
> Note that root isn't one of them.  If I need to be root, I log in  
> as "fred" and
> either use "sudo" or do an "su -".
> [...]
> Charlie

For even more security, I use AllowUsers to also restrict by IP  
address, for example:

     AllowUsers fred@, fred@, barney@192.168.1.*,  
wilma@, betty@10.1.1.*

Using this setup, especially with /etc/hosts.allow entries, makes the  
chances of a successful attack even slimmer.

Reid Burke        | Systems Assistant, Neon Internet / SchoolCenter
me@reidburke.com  | Owner, Burke Computer Solutions
www.reidburke.com | Web Design & Consulting - www.burkecomputer.com

To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.