how to react on ssh attacks?

Stephanus Fengler fengler at uiuc.edu
Mon Oct 24 11:49:32 UTC 2005


Michael A. Peters wrote:

>On Mon, 2005-10-24 at 09:49 +0000, Stephanus Fengler wrote:
>  
>
>>Dear list readers,
>>
>>I know that this is not a security list but it seems a good starting 
>>point for me as an ordinary user to ask whether someone can point me in 
>>the right direction.
>>
>>I recently checked my log files of my ssh service (so far as I 
>>understand this is my only service open) and realized that from the very 
>>same IP I got a lot of request trying to guess a user name on my system, 
>>I assume. Since login name always changes in even chronological 
>>alphabetical order.
>>
>>So shell I worry about it or do I need to do some countermeasures?
>>    
>>
>
>1) Make sure root login via ssh is disabled
>It's not by default.
>
>in /etc/sshd_config
>
>there will be a line that reads
>
>PermitRootLogin yes
>
>change the yes to no and then restart the sshd daemon
>
>2) Turn it off all together if you don't need it
>
>3) Make sure all of your password are sane.
>
>-=-
>These random attacks are pretty common - they sniff networks for open
>ssh ports, and when they find one - they try root with a bunch of
>passwords, and then common user names with a bunch of passwords.
>
>It's not really something to worry about - if you have root login
>disabled, any attempts to ssh in as root will fail - and they only get
>in if they happen to guess a user name AND a password. That's not likely
>to happen if you have good passwords on your system (ie a meaningless
>combination of letters, numbers, and other characters at least 10
>characters long)
>
>-=-
>If you only ssh in from specific hosts, you can limit ssh access to
>those hosts only - or you can use a pass key - where the connection is
>not done with passwords at all, but done with a pass phrase only - which
>requires a key on the connecting machine that has been signed by your
>private key.
>
>  
>
Thanks Mr. Peters,
I changed sshd_config and restarted the daemon... root at localhost denies 
now which is fine and also I thought it is disabled by default which it 
wasn't. Since I am the only user of the machine and know all account 
passwords I can say that they are secure and long enough.

I read also the answers from Tom Yates and Boris Glawe. I am not sure 
yet how I have to setup these iptables mentioned on  Tom's page 
http://www.teaparty.net/technotes/ssh-rate-limiting.html but I start 
looking into it.

Up to now I was only running the standard configuration of fc firewall 
which can be set with /usr/bin/system-config-securitylevel with the only 
trusted service ssh.

Thanks for your answers,

fengler





More information about the fedora-list mailing list