Richard Troth wrote:
Like Mark Pace, I see a CONSTANT stream of such break-in attempts. Looks like they're trying a list of known usernames, presumably with accomanying known default passwords. (I am not aware of any specific vulnerability in SSH (protocol or programs) related to the IDs used in the attempts, so I see no other value in those names.) (But my knowledge is finite.)
Not sure how to stave off this attack other than to slow down the SSH connections. I asked an internal forum if anyone knew of a way to "throttle" SSH. No positive responses (but a limitted sample set, since we're not SSH experts). I suppose I *could* poll an SSH list.
For my own stuff, one of the target boxes is a 486 SX at 25MHz. Really. So there is an automatic slow-down, and I've seen at least one would-be cracker apparently give up and go away. Ahh ... the joy of using surplus hardware. ;-)
Fighting this attack is a little like fighting spam: Hard to tell ahead of time if the approaching client is friend or foe. Manual black-listing of the attacking hosts is an arms race. It just doesn't scale.
Consider firewalling port 22 (the ssh port) with iptables, configure it to only accept connections from your local lan. If you must have ssh access to the external network / Internet, have ssh listen for another port, possibly a high numbered non-priviledged port. Configure your iptables firewall to allow that port to accept external network / Internet connections.
That will slow down the attempts. People could still port scan you and find the port, but general attacks won't do this... only those really targeting you would bother to do that.
Make sure your sshd_config file has root login disabled for any Internet facing systems. Audit the various daemon accounts on your system, ensure they do not have a loginable password.
These steps combined will greatly reduce the ssh probes you are receiving.
*Brandon Darbro
---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
