Can we say "DenySSH" :)
I had this same problem last week... though, I've installed it but I'm
not sure how to make it work... Neil where are you ;p
Neils got a whole page on his website about DenySSH.
Cheers Don
John Carter wrote:
So I wanted to take some work home...
Mail proved flaky, spam filters, size limits, risk of finger trouble
when entering address, black holes, cosmic rays, BOfH knows why.
So scp does well, let me set that up. Open up port 22 pinhole in the
home router/firewall. Hmm. Wish I could open up something weird and
non-standard but firewall on other side only allows outgoing on 22.
But a static ip address costs $10 per month. BLOODY RIPOFF!!
A quick scriptie involving wget to pull the status page off the DSE
router and ruby Net::ftp to push the encrypted result onto a
webserver and a matching one to pull it down and decrypt.
So now I have a cronjob that fires once an hour, checks the IP address
if its changed splats the ip address onto a webpage.
Note 1. The ip address changes surprisingly often! The telco is doing
way more work than it needs to.
Note 2. Having kiddies in the house means some usernames have less
good passwords. So I dug and dug through the config to explicitly only
enable access to my own personal username.
Turns out that was a very very Good idea.
Last night my favourite debug tool triggers...
Listen to your computer.... what noise is it making? My dual core's
fan starts up if its working hard. The disk drive makes small click
click sounds.
The disk is going klickitchy klickitchy klickitchy... Working
lightly. But working. Not scratch-scratch-scratch of the midnight
updatedb run. Just klickitchy-klitchitchy.
Hmm. Not me.
Run top...
sshd busy.
Look in /var/log/auth.log
Lots of "Invalid username" messages.
Shutdown sshd
/etc/init.d/sshd stop
klickitchy sound stops dead.
Trawl logs.. lots and lots and lots and lots of "Invalid username" for
every username you can imagine...
staff, adm, admin, postgresql, jack, fred, tom, ....
Some swine is doing a brute force attack on my sshd
Copy and paste IP into google, turns up the web page of someone that
has written a perl script to scan his logs and block attackers. And as
a side effect list ip addresses he has blocked so far. Including my
attacker.
Further digging around its a dhcp block on some American isp. Possibly
not even the real attacker, just a bot.
Currently I've blocked the port 22 on the router again. Also switched
off router as this was chewing up my bandwidth.
Grr.
Oh yes. Side Moral of story. "Broad Band == Brute Force Attacks"
You do use passphrases not passwords don't you?
ie. _Never_ choose use a password again. ie. _Never_ something like
"ch3rry" always Always use a passphrase. An easy to remember phrase
from which you take something like the first character of each word.
"I'm a lumber jack and I'm OK" == "IaljaI0K"
John Carter Phone : (64)(3) 358 6639
Tait Electronics Fax : (64)(3) 359 4632
PO Box 1645 Christchurch Email : [EMAIL PROTECTED]
New Zealand
--
Don Gould
2/59 Peverel Street, Riccarton, Christchurch, New Zealand
Phone: +64 3 348 7235 - Mobile: +64 21 114 0699
www.thinkdesignprint.co.nz
