Results 1 to 10 of 23
Hey dudes, got a couple of SSH brute force attempts over the last few days. I opened up port 22 so I could SSH from work. I had three seperate ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 06-27-2005 #1
SSH brute force attacks
Gonna put on my rootkithunter again, hadn't put it on since I last upgraded. Any help appreciated guys. In fact here's your bananas in advance....
- 06-27-2005 #2
disable ssh to all accounts that don't need it, esspecially remote root login, use strong passwords, at least 8 characters long consisting of numbers and letters both upper case and lower case, also consider using a script that blocks an ip through iptables after a certain amount of failures.
that's just off the top of my head, i'm sure there's some more things you can do
- 06-27-2005 #3
Cheers man, where do I set user rights to SSH? I'm new to remoting linux. Btw I ran rkhunter and I'm clean, so at least none of the attacks were successful. Keeping it clean!
Changed my passwords anyway to be sure.
- 06-27-2005 #4
Use tcp wrappers to restrict which subnets can access ssh, if that will be ok for you.
Have a look at: /etc/hosts.allow and /etc/hosts.deny.
If you can comfortably live with restricting to just a couple subnets, this is a really important step.
Rather than reinventing the wheel, here are some more tips on hardening SSH service: http://forums.suselinuxsupport.de/in...howtopic=14577
All points may or may not apply for your distro..
- 06-27-2005 #5
- Join Date
- Mar 2005
i recenlty got ssh setup and working on my linux box.
how did you know there were brute force attempts on the machine?Registered Linux User # 392752
• \"pr0n\": An anagram of \"porn,\" possibly indicating the use of pornography.
- 06-27-2005 #6
- 06-27-2005 #7
Look in your logs...
In slackware, take a look at your /var/log/messages log. You should see lines like these:
Jun 26 17:26:43 slack sshd: Invalid user dorothy from 22.214.171.124
Jun 26 17:26:43 slack sshd: Failed password for invalid user dorothy from 126.96.36.199 port 52420 ssh2
Date, time, server name (slack is mine), sshd (is the process) and then you see the user name and ip...at least that is what I have found to be true. I see these in my logs from time to time, but rarely if ever, from the same IP and hardly ever for more than a minute or two worth of attempts.Join the Open Source Revolution. Support GNU/Linux.
Find me at: www.deeksworld.com
Registered GNU/Linux User #395777
- 06-27-2005 #8
- Join Date
- Jun 2005
- Los Angeles, CA
Another thing that you can do is change the ssh protocol version to ssh2 instead of ssh1. Also, changing the default port from 22 to something complete different also helps as well.
With a combination of that and using TCP wrappers to only allow certain subnets to your box, you would make your box a bit more difficult to get into.
Nothing is full proof, but it's just one of many road blocks to put up again intruders.
- 06-27-2005 #9Another thing that you can do is change the ssh protocol version to ssh2 instead of ssh1.
- 06-28-2005 #10
- Join Date
- Nov 2004
I also found running sshd on a nonstandard port slows down the attempts as well.