Find the answer to your Linux question:
Page 1 of 3 1 2 3 LastLast
Results 1 to 10 of 23
Hey dudes, got a couple of SSH brute force attempts over the last few days. I opened up port 22 so I could SSH from work. I had three seperate ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,133

    SSH brute force attacks


    Hey dudes, got a couple of SSH brute force attempts over the last few days. I opened up port 22 so I could SSH from work. I had three seperate attempts, could be sniffers, but I was using Bittorrent at the time so it may just have been chancers. Thing is, I don't particularly want ot have to shutdown SSH (it is temporarily), don't see that I should have to. So any recommendations? What should I be doing, and apart from /var/log and the various .bash_history filesis there anything I should check to see if I'm compromise.

    Gonna put on my rootkithunter again, hadn't put it on since I last upgraded. Any help appreciated guys. In fact here's your bananas in advance....


  2. #2
    Linux User Krendoshazin's Avatar
    Join Date
    Feb 2005
    Location
    London, England
    Posts
    471
    disable ssh to all accounts that don't need it, esspecially remote root login, use strong passwords, at least 8 characters long consisting of numbers and letters both upper case and lower case, also consider using a script that blocks an ip through iptables after a certain amount of failures.
    that's just off the top of my head, i'm sure there's some more things you can do

  3. #3
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,133
    Cheers man, where do I set user rights to SSH? I'm new to remoting linux. Btw I ran rkhunter and I'm clean, so at least none of the attacks were successful. Keeping it clean!
    Changed my passwords anyway to be sure.

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Use tcp wrappers to restrict which subnets can access ssh, if that will be ok for you.

    Have a look at: /etc/hosts.allow and /etc/hosts.deny.

    If you can comfortably live with restricting to just a couple subnets, this is a really important step.

    Rather than reinventing the wheel, here are some more tips on hardening SSH service: http://forums.suselinuxsupport.de/in...howtopic=14577

    All points may or may not apply for your distro..

  6. #5
    Linux Newbie
    Join Date
    Mar 2005
    Location
    California!
    Posts
    159
    i recenlty got ssh setup and working on my linux box.

    how did you know there were brute force attempts on the machine?
    Registered Linux User # 392752

    \"pr0n\": An anagram of \"porn,\" possibly indicating the use of pornography.

  7. #6
    Linux Guru kkubasik's Avatar
    Join Date
    Mar 2004
    Location
    Lat: 39:03:51N Lon: 77:14:37W
    Posts
    2,396
    cat /var/log/sshd.log
    Avoid the Gates of Hell. Use Linux
    A Penny for your Thoughts

    Formerly Known as qub333

  8. #7
    Linux Newbie deek's Avatar
    Join Date
    Mar 2005
    Location
    Fort Wayne, IN
    Posts
    248
    Look in your logs...

    In slackware, take a look at your /var/log/messages log. You should see lines like these:

    Jun 26 17:26:43 slack sshd[2586]: Invalid user dorothy from 66.135.35.110
    Jun 26 17:26:43 slack sshd[2586]: Failed password for invalid user dorothy from 66.135.35.110 port 52420 ssh2


    Date, time, server name (slack is mine), sshd (is the process) and then you see the user name and ip...at least that is what I have found to be true. I see these in my logs from time to time, but rarely if ever, from the same IP and hardly ever for more than a minute or two worth of attempts.
    Join the Open Source Revolution. Support GNU/Linux.

    Find me at: www.deeksworld.com
    Registered GNU/Linux User #395777

  9. #8
    Just Joined!
    Join Date
    Jun 2005
    Location
    Los Angeles, CA
    Posts
    3
    Another thing that you can do is change the ssh protocol version to ssh2 instead of ssh1. Also, changing the default port from 22 to something complete different also helps as well.

    With a combination of that and using TCP wrappers to only allow certain subnets to your box, you would make your box a bit more difficult to get into.

    Nothing is full proof, but it's just one of many road blocks to put up again intruders.

  10. #9
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Another thing that you can do is change the ssh protocol version to ssh2 instead of ssh1.
    Definitely. (And that is listed in the URL I gave.)

  11. #10
    Just Joined!
    Join Date
    Nov 2004
    Location
    Iowa
    Posts
    43
    I also found running sshd on a nonstandard port slows down the attempts as well.

Page 1 of 3 1 2 3 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •