Hah, time for me to rival Aaron in response length.
SSHd failed logins are *very* *very* common. Here are a few things you can
do to protect yourself.
1) Run sshd on a strange port (I used 1022 for a while), while this doesn't
prevent true hacking attempts (they'll use nmap), this'll help reduce the
bot logins, in fact, this was the ONLY solution I had to use.
2) Use iptables to block ips who hammer with bad passwords. Here's a script
I've seen reccomended:
(script coming, based on the skel script from debian)
#! /bin/sh
#
# ssh-bruteforce
#
# Author: Michael Greb <[EMAIL PROTECTED]>.
#
# Version: @(#)ssh-bruteforce 1.0 26-Mar-2005
#
set -e
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DESC="iptables for ssh brute force mitigation"
NAME=ssh-bruteforce
SCRIPTNAME=/etc/init.d/$NAME
#
# Function that starts the daemon/service.
#
d_start() {
iptables -N SSH_WHITELIST
iptables -A SSH_WHITELIST -s 70.187.46.105 <http://70.187.46.105> -m recent
--remove --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
--name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update
\
--seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix
SSH_brute_force
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update
\
--seconds 60 --hitcount 4 --rttl --name SSH -j DROP
}
case "$1" in
start)
echo -n "Starting $DESC: $NAME"
d_start
echo "."
;;
*)
# echo "Usage: $SCRIPTNAME {start}" >&2
echo "Usage: $SCRIPTNAME {start}" >&2
exit 1
;;
esac
exit 0
(endscript)
Take this line: iptables -A SSH_WHITELIST -s
70.187.46.105<http://70.187.46.105>-m recent --remove --name SSH -j
ACCEPT
and edit it to match your current IP, and duplicate it if you want more
whitelisted.
3) You can use pubkey authentication only. This disables passwords, and
only allows clients which have the pubkey file to connect. This is good if
you only connect from one box, or use a USB key personalized putty/sshd.
More information can be found at the linode forums, here
http://www.linode.com/forums/viewtopic.php?t=1157
Okay. That's my longest post ever. Woo!
--
Jason Faulkner
------------------------
OldOs.org Owner/Admin / http://oldos.org / [EMAIL PROTECTED]
------------------------
Certified INGOTS Gold Assessor Trainer / http://www.theingots.org
------------------------
OpenOffice.org Marketing Volunteer / [EMAIL PROTECTED]
--
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
