As a temporary solution you could use my ssh bruteforce preventing script of iptables
I use this to prevent ssh and ftp bruteforce where AAA.BBB.CCC.DDD is your trusted ip, which never will be blocked. This script will block ip, if it make >3 connections per 5 minute. iptables -N SSH_WHITELIST iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshbr --set iptables -A INPUT -p tcp --dport 22 --syn -j SSH_WHITELIST iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshbr --update --rttl --hitcount 3 --seconds 300 -j REJECT --reject-with tcp-reset iptables -A SSH_WHITELIST -s AAA.BBB.CCC.DDD -p tcp --dport 22 --syn -m recent --rttl --remove To increase security change MaxAuthTries 1 in /etc/ssh/sshd_config, so remote user can do only 2 connection attempts with 2 password retries. On Thu, Dec 29, 2011 at 4:33 PM, Ville Tiensuu <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello, > > Could you please paste /var/log/auth.log message of attack? > Are you sure about it's not any bruteforce attack or similar? > I think the problem is not in SSH server itself, it's in your server's > security. Are you using weak password, and allowing direct root access > to the server via SSH? > If problem persists in your other servers, try to use fail2ban or similar. > > - -Ville > > 29.12.2011 16:04, Taz wrote: > > Hello, we've got various debian servers, about 15, with different > > versions. All of them have been attacked today and granted root > > access. Can anybody help? We can give ssh access to attacked > > machine, it seems to be serious ssh vulnerability. > > > > How can i contact openssh mnt? > > > > Thank you. > > > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.17 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQEcBAEBAgAGBQJO/HokAAoJEFg15w+Y7E/mDL0IAItgyj5TSWgTILUE7l/cF7PS > BwG71ypgQf/uMlsNnkbylspnvBj9edZfKfer844NvrG6yJbLw25sNI4eOLlvO1xQ > nQJHwSNPhWVRHt3gwu5QlHSv0r0qbBdcXjQXDwqG6adp8qY3Qx7BIzvU0DThb08K > Kbk0/4WcUHb7GtphJUIENPnyaC6xksb413fyT2RW3/m3xm7bRWqXH5bSAvs4/NIP > 1m9oqxPO+HNnTF1U1KV+fdubLGIYeMHrskKSubBQ7U/+mn7/uhANT6Ke4XFtWsu8 > Mgwr11j2/trCTxBNJvAEyjdpK2/vn+LRgNF12THOeCVFNQcgVyY+iWwGddY6IyU= > =8DkS > -----END PGP SIGNATURE----- > > > -- > To UNSUBSCRIBE, email to [email protected] > with a subject of "unsubscribe". Trouble? Contact > [email protected] > Archive: http://lists.debian.org/[email protected] > > > > -- BR, Nikolay Yatsyshyn
