Re: Someone is picking on my sshd
On 03/08/07, Boaz Rymland <[EMAIL PROTECTED]> wrote: > > Amos Shapira wrote: > > > Possible ways to handle: > > 1. Change port as others suggested - works great for me. > 2. Make sure you can only authenticate using public/private keys. > 3. Install "denyhosts", which adds attacking IP's to /etc/hosts.deny based > on the sshd logs, also can synchronize info with other attacked hosts. > 4. Use iptables to limit number of attempts from each IP. > 5. Use iptables to slow down connections from attackers (target "TARPIT"). > 6. Install a honeypot and send the results to central sites which collect > such info. > > 7. Open SSH port to the needed IP(s) only: If you _don't_ need to SSH in > from "the world", you can limit access to the needed port based on the IP > address, or a range of IPs. E.g: iptables -A INPUT -s $ALLOWED_IP_SSH -p > TCP --dport $SSH_PORT -j ACCEPT > True, though you have to be careful not to lock yourself out by limiting too much. That's why I've never implemented this myself. You can use the iptables geoip module to limit by country. Your suggestion reminded me: 8. Implement port-knocking. Still could limit you to access from machines from which you can do the port-knock (I think even careful use of "traceroute" might allow you do that when you don't access to a port-knocking client). --Amos
Re: Someone is picking on my sshd
Amos Shapira wrote: > > Possible ways to handle: > > 1. Change port as others suggested - works great for me. > 2. Make sure you can only authenticate using public/private keys. > 3. Install "denyhosts", which adds attacking IP's to /etc/hosts.deny > based on the sshd logs, also can synchronize info with other attacked > hosts. > 4. Use iptables to limit number of attempts from each IP. > 5. Use iptables to slow down connections from attackers (target "TARPIT"). > 6. Install a honeypot and send the results to central sites which > collect such info. 7. Open SSH port to the needed IP(s) only: If you _don't_ need to SSH in from "the world", you can limit access to the needed port based on the IP address, or a range of IPs. E.g: iptables -A INPUT -s $ALLOWED_IP_SSH -p TCP --dport $SSH_PORT -j ACCEPT Boaz. > > That's all folks, > > --Amos >
Re: Someone is picking on my sshd
On 03/08/07, Ravid Baruch Naali <[EMAIL PROTECTED]> wrote: > > Hi List, > > Does any one else get this frequently? > Some kind of automated program trying to log into my sshd, each time from > a different IP address. off course (I hope) all of the users are invalid. > > Did any of you noticed it? and if so what are your solutions? > I saw reports about increased sshd probes during this week on an Australian LUG mailing lists too. Apparently there is a wave of these going on world wide. Possible ways to handle: 1. Change port as others suggested - works great for me. 2. Make sure you can only authenticate using public/private keys. 3. Install "denyhosts", which adds attacking IP's to /etc/hosts.deny based on the sshd logs, also can synchronize info with other attacked hosts. 4. Use iptables to limit number of attempts from each IP. 5. Use iptables to slow down connections from attackers (target "TARPIT"). 6. Install a honeypot and send the results to central sites which collect such info. That's all folks, --Amos
Re: Someone is picking on my sshd
this is very common, those stupid bots do it on every open ssh port they find around. given proper usernames and passwords, they are pretty benign imho, but they flood the logs so much... personally, changing the ssh port on my home machine eliminated the problem completely. On 8/2/07, Ravid Baruch Naali <[EMAIL PROTECTED]> wrote: > > Hi List, > > Does any one else get this frequently? > Some kind of automated program trying to log into my sshd, each time from > a different IP address. off course (I hope) all of the users are invalid. > > Did any of you noticed it? and if so what are your solutions? > > Thanks in advance > Ravid > -- > Ravid Baruch Naali > E-mail: [EMAIL PROTECTED] > Mobile: 052-5830021 > Home/Office:04-6732729 >
Re: Someone is picking on my sshd
On 8/2/07, Ravid Baruch Naali <[EMAIL PROTECTED]> wrote: > > Hi List, > > Does any one else get this frequently? > Some kind of automated program trying to log into my sshd, each time from a > different IP address. off course (I hope) all of the users are invalid. > > Did any of you noticed it? and if so what are your solutions? There are bots/zombies that does this. They are usually looking for either enum users, or dictionary (aka brute force) logins (and passwords)... The easiest way to solve this, is to bind different port then 22 ... Another ways, are to "open" the port using a web based tool (such as Cisco's firewalls for example). And if you want to really get creative, I can think on more solutions as well :) > > Thanks in advance > Ravid > -- > Ravid Baruch Naali > E-mail: [EMAIL PROTECTED] > Mobile: 052-5830021 > Home/Office:04-6732729 Ido -- http://ik.homelinux.org/ = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Someone is picking on my sshd
Hi List, Does any one else get this frequently? Some kind of automated program trying to log into my sshd, each time from a different IP address. off course (I hope) all of the users are invalid. Did any of you noticed it? and if so what are your solutions? Thanks in advance Ravid -- Ravid Baruch Naali E-mail: [EMAIL PROTECTED] Mobile: 052-5830021 Home/Office:04-6732729