Find the answer to your Linux question:
Results 1 to 4 of 4
Hi all, I have a CentOS server running SSHd, I monitor the /var/log/secure logfile which is showing a lot of brute force activity on my SSHd. Is there any way ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2008
    Posts
    33

    [SOLVED] Server receiving a lot of brute force SSH attacks


    Hi all,

    I have a CentOS server running SSHd, I monitor the /var/log/secure logfile which is showing a lot of brute force activity on my SSHd.

    Is there any way I can see the passwords that the attackers are trying? It would be interesting to see.

    The server is configured so that the root user cannot login directly by SSH. There is only one user allowed which is a non standard, non generic username with a strong password.

    Is it possible to see if anyone has used the correct password for the root user - or any other user, but was denied access because of the user filter?

    At the moment I am manually blocking each offensive IP Address at the kernel level using iptables, which is getting a bit tedious after a while.

    Is it worth moving my SSHd to a different port? I imagine this would prevent most of the attacks unless someone executed a port scan to reveal the new port.

    I understand I can configure iptables to only accept a list of predefined IP Addresses but this isn't ideal for my circumstances, so is a last resort.

    Thanks in advance.

  2. #2
    Linux Engineer Freston's Avatar
    Join Date
    Mar 2007
    Location
    The Netherlands
    Posts
    1,049
    Quote Originally Posted by the182guy
    Is it worth moving my SSHd to a different port? I imagine this would prevent most of the attacks unless someone executed a port scan to reveal the new port.
    Yeah, I used to get ~400 attacks per day. I moved my SSH port, and now I've not had a single one for years. Most of these attacks are scripted attacks looking for vulnerable targets.

    This wont help if you have a real attacker with an intent to crack your system, because as you say it's easy enough to run a port scan. But your logs will be a lot more quiet now all automated attacks are no longer in there.
    Can't tell an OS by it's GUI

  3. #3
    Just Joined! TheBoogyMaster's Avatar
    Join Date
    Apr 2009
    Posts
    51
    what you can do its configure iptables to allow trafic from the networks you use... ans you can change the port 2 like Frston said.

  4. #4
    Just Joined!
    Join Date
    Jun 2008
    Posts
    33
    Thanks for the info all, that helps a lot.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •