SSH brute force attacks

**bigtomrodney** · 06-27-2005

Hey dudes, got a couple of SSH brute force attempts over the last few days. I opened up port 22 so I could SSH from work. I had three seperate attempts, could be sniffers, but I was using Bittorrent at the time so it may just have been chancers. Thing is, I don't particularly want ot have to shutdown SSH (it is temporarily), don't see that I should have to. So any recommendations? What should I be doing, and apart from /var/log and the various .bash_history filesis there anything I should check to see if I'm compromise.

Gonna put on my rootkithunter again, hadn't put it on since I last upgraded. Any help appreciated guys. In fact here's your bananas in advance....

**Krendoshazin** · 06-27-2005

disable ssh to all accounts that don't need it, esspecially remote root login, use strong passwords, at least 8 characters long consisting of numbers and letters both upper case and lower case, also consider using a script that blocks an ip through iptables after a certain amount of failures.
that's just off the top of my head, i'm sure there's some more things you can do

**bigtomrodney** · 06-27-2005

Cheers man, where do I set user rights to SSH? I'm new to remoting linux. Btw I ran rkhunter and I'm clean, so at least none of the attacks were successful. Keeping it clean!
Changed my passwords anyway to be sure.

**anomie** · 06-27-2005

Use tcp wrappers to restrict which subnets can access ssh, if that will be ok for you.

Have a look at: /etc/hosts.allow and /etc/hosts.deny.

If you can comfortably live with restricting to just a couple subnets, this is a really important step.

Rather than reinventing the wheel, here are some more tips on hardening SSH service: http://forums.suselinuxsupport.de/in...howtopic=14577

All points may or may not apply for your distro..

**designbydave** · 06-27-2005

i recenlty got ssh setup and working on my linux box.

how did you know there were brute force attempts on the machine?

**kkubasik** · 06-27-2005

cat /var/log/sshd.log

**deek** · 06-27-2005

Look in your logs...

In slackware, take a look at your /var/log/messages log. You should see lines like these:

Jun 26 17:26:43 slack sshd[2586]: Invalid user dorothy from 66.135.35.110
Jun 26 17:26:43 slack sshd[2586]: Failed password for invalid user dorothy from 66.135.35.110 port 52420 ssh2

Date, time, server name (slack is mine), sshd (is the process) and then you see the user name and ip...at least that is what I have found to be true. I see these in my logs from time to time, but rarely if ever, from the same IP and hardly ever for more than a minute or two worth of attempts.

**M0J0** · 06-27-2005

Another thing that you can do is change the ssh protocol version to ssh2 instead of ssh1. Also, changing the default port from 22 to something complete different also helps as well.

With a combination of that and using TCP wrappers to only allow certain subnets to your box, you would make your box a bit more difficult to get into.

Nothing is full proof, but it's just one of many road blocks to put up again intruders.

**anomie** · 06-27-2005

Another thing that you can do is change the ssh protocol version to ssh2 instead of ssh1.

Definitely. (And that is listed in the URL I gave.)

**Kingedgar** · 06-28-2005

I also found running sshd on a nonstandard port slows down the attempts as well.

Thread Tools

Display

SSH brute force attacks

Posting Permissions