People are trying to login via SSH as root or admin, and failing (thank God). I have changed my firewall temporarily to only allow SSH from my private subnet. I would ideally like to change this. What can I do?
If you are getting multiple attempted logins (ie: 100 at a time) in succession, then it is probably just one of the 'latest and greatest' script kiddie automated programs that was released a few weeks (perhaps even a few months) ago. I think the original program was called BruteSSH2, but since then there have been more 'variants' that have been seen. Assuming you have a good password policy, you shouldn't have much to worry about.
If you are looking for a good laugh, here is one version: http://www.k-otik.com/exploits/08202004.brutessh2.c.php
Some previous posters have pointed out things you can do to increase security through ssh:
- set permitrootlogins to no - firewall to only allow trusted ip addresses to connect to ssh - /etc/hosts.deny
Another thing you should probably consider is to disable ssh password authentication, and instead use rsa or dsa keys. Although this requires a little bit of work on your part if you login from many different machines, it will require an attacker to have your private key, username, and passphrase to login. As well, if you use this method then you needn't worry at all about these types of attempts :)
Another compelling reason to use rsa/dsa key based login is that if you are like me and connect to the same machines many times throughout the day (ie: scp'ing files around, cvs access, smtp over ssh (for those using telus adsl), etc...) then you can use ssh-agent/ssh-add so you don't have to type in your passphrase all the time. A nice tool to trivialize this is keychain from the fine folks that brought us gentoo http://www.gentoo.org/proj/en/keychain/index.xml
I don't *think* anyone has broken in yet, but I can't be sure.
Let's hope not :) But you should be on the lookout for anything suspicious.
Cheers
Ian.
_______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca
