[SOLVED] Server receiving a lot of brute force SSH attacks

[the182guy]

Hi all,

I have a CentOS server running SSHd, I monitor the /var/log/secure logfile which is showing a lot of brute force activity on my SSHd.

Is there any way I can see the passwords that the attackers are trying? It would be interesting to see.

The server is configured so that the root user cannot login directly by SSH. There is only one user allowed which is a non standard, non generic username with a strong password.

Is it possible to see if anyone has used the correct password for the root user - or any other user, but was denied access because of the user filter?

At the moment I am manually blocking each offensive IP Address at the kernel level using iptables, which is getting a bit tedious after a while.

Is it worth moving my SSHd to a different port? I imagine this would prevent most of the attacks unless someone executed a port scan to reveal the new port.

I understand I can configure iptables to only accept a list of predefined IP Addresses but this isn't ideal for my circumstances, so is a last resort.

Thanks in advance.

[Freston]

Is it worth moving my SSHd to a different port? I imagine this would prevent most of the attacks unless someone executed a port scan to reveal the new port.

Yeah, I used to get ~400 attacks per day. I moved my SSH port, and now I've not had a single one for years. Most of these attacks are scripted attacks looking for vulnerable targets.

This wont help if you have a real attacker with an intent to crack your system, because as you say it's easy enough to run a port scan. But your logs will be a lot more quiet now all automated attacks are no longer in there.

[TheBoogyMaster]

what you can do its configure iptables to allow trafic from the networks you use... ans you can change the port 2 like Frston said.

[the182guy]

Thanks for the info all, that helps a lot.