As Ted said in the 2nd sentence, it's running on a non-standard port. Yes, it helps lot to reduce garbage in the logs.
Maybe it's not non-standard enough? sshguard looks interesting. Thanks! On Mon, Jun 12, 2017 at 12:42 PM, Bruce Dawson <j...@codemeta.com> wrote: > I have to second this suggestion - changing the port did wonders for our > servers. Of course, as Dan says, it works for script kiddies, not so much > against a determined attack on your server. > > --Bruce > > On 06/12/2017 09:59 AM, Dan Garthwaite wrote: > > If you can change the port number it does wonders against the script > kiddies. > > Just remember to add the new port, restart sshd, then remove the old port. > :) > > On Sun, Jun 11, 2017 at 1:53 PM, Ted Roche <tedro...@gmail.com> wrote: > >> Thanks, all for the recommendations. I hadn't seen sshguard before; >> I'll give that a try. >> >> I do have Fail2Ban in place, and have customized a number of scripts, >> mostly for Apache (trying to invoke asp scripts on my LAMP server >> results in instaban, for example) and it is what it reporting the ssh >> login failures. >> >> I have always seen them, in the 10 years I've had this server running, >> but the frequency, periodicity and international variety (usually >> they're all China, Russian, Romania) seemed like there might be >> something else going on. >> >> Be careful out there. >> >> On Sun, Jun 11, 2017 at 11:19 AM, Mark Komarinski <mkomarin...@wayga.org> >> wrote: >> > sshguard is really good since it'll drop in a iptables rule to block an >> IP >> > address after a number of attemps (and prevent knocking on other ports >> too). >> > >> > Yubikey as 2FA is pretty nice too. >> > >> > -------- Original message -------- >> > From: Bruce Dawson <j...@codemeta.com> >> > Date: 6/11/17 10:58 AM (GMT-05:00) >> > To: gnhlug-discuss@mail.gnhlug.org >> > Subject: Re: What's the strategy for bad guys guessing a few ssh >> passwords? >> > >> > sshguard takes care of most of them (especially the high bandwidth >> ones). >> > >> > The black hats don't care - they're looking for vulnerable systems. If >> > they find one, they'll exploit it (or not). >> > >> > Note that a while ago (more than a few years), comcast used to probe >> > systems to see if they're vulnerable. Either they don't do that any >> > more, or contract it out because I haven't see probes from any of their >> > systems in years. This probably holds true for other ISPs, and various >> > intelligence agencies in the world - both private and public, not to >> > mention various disreputable enterprises. >> > >> > --Bruce >> > >> > >> > On 06/11/2017 10:17 AM, Ted Roche wrote: >> >> For 36 hours now, one of my clients' servers has been logging ssh >> >> login attempts from around the world, low volume, persistent, but more >> >> frequent than usual. sshd is listening on a non-standard port, just to >> >> minimize the garbage in the logs. >> >> >> >> A couple of attempts is normal; we've seen that for years. But this is >> >> several each hour, and each hour an IP from a different country: >> >> Belgium, Korea, Switzerland, Bangladesh, France, China, Germany, >> >> Dallas, Greece. Usernames vary: root, mythtv, rheal, etc. >> >> >> >> There's several levels of defense in use: firewalls, intrusion >> >> detection, log monitoring, etc, so each script gets a few guesses and >> >> the IP is then rejected. >> >> >> >> In theory, the defenses should be sufficient, but I have a concern >> >> that I'm missing their strategy here. It's not a DDOS, they are very >> >> low volume. It will take them several millennia to guess enough >> >> dictionary attack guesses to get through, so what's the point? >> >> >> > >> > _______________________________________________ >> > gnhlug-discuss mailing list >> > gnhlug-discuss@mail.gnhlug.org >> > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ >> > >> > _______________________________________________ >> > gnhlug-discuss mailing list >> > gnhlug-discuss@mail.gnhlug.org >> > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ >> > >> >> >> >> -- >> Ted Roche >> Ted Roche & Associates, LLC >> http://www.tedroche.com >> _______________________________________________ >> gnhlug-discuss mailing list >> gnhlug-discuss@mail.gnhlug.org >> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ >> > > > > _______________________________________________ > gnhlug-discuss mailing > listgnhlug-discuss@mail.gnhlug.orghttp://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ > > > > _______________________________________________ > gnhlug-discuss mailing list > gnhlug-discuss@mail.gnhlug.org > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ > >
_______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/