[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SSH Attacks - What to do?
On Jul 30, 2005, at 8:30 PM, SILUG25 wrote:
> On Sat, 30 Jul 2005 20:17:49 -0500, Steven Pritchard wrote
>> On Wed, Jul 27, 2005 at 03:19:21PM -0500, Tim McDonough wrote:
>>> In reviewing the logs on my Linux server I see that for today and
>>> of yesterday someone has a machine set up that's trying to log in
>>> every few seconds via SSH. They have had no success so far. Here's a
>>> snippet of the message log, the file is huge with these things. (The
>>> last two entries are me doing legitimate work.)
>> I just noticed something like 55k failed login attempts on one of my
>> few systems that has sshd open to the world. Unfortunately, I can't
>> cut off access to that system, and it would be somewhat painful to
>> disallow password authentication in general. There seems to be
>> another alternative though:
>> PermitRootLogin without-password
>> Despite how it sounds, that appears to disable password
>> for root, but nobody else.
> In /etc/ssh/sshd_config, I use the "AllowUsers" option, like this:
> AllowUsers fred, barney, wilma, betty
> Note that root isn't one of them. If I need to be root, I log in
> as "fred" and
> either use "sudo" or do an "su -".
For even more security, I use AllowUsers to also restrict by IP
address, for example:
AllowUsers firstname.lastname@example.org, email@example.com, firstname.lastname@example.org.*,
Using this setup, especially with /etc/hosts.allow entries, makes the
chances of a successful attack even slimmer.
Reid Burke | Systems Assistant, Neon Internet / SchoolCenter
email@example.com | Owner, Burke Computer Solutions
www.reidburke.com | Web Design & Consulting - www.burkecomputer.com
To unsubscribe, send email to firstname.lastname@example.org with
"unsubscribe silug-discuss" in the body.