how to react on ssh attacks?

Patrick Nelson pnelson at neatech.com
Tue Oct 25 17:15:00 UTC 2005 

Jeff Vian wrote:

>On Mon, 2005-10-24 at 09:49 +0000, Stephanus Fengler wrote:
>  
>
>>Dear list readers,
>>
>>I know that this is not a security list but it seems a good starting 
>>point for me as an ordinary user to ask whether someone can point me in 
>>the right direction.
>>
>>I recently checked my log files of my ssh service (so far as I 
>>understand this is my only service open) and realized that from the very 
>>same IP I got a lot of request trying to guess a user name on my system, 
>>I assume. Since login name always changes in even chronological 
>>alphabetical order.
>>
>>So shell I worry about it or do I need to do some countermeasures?
>>
>>Request look like:
>>Oct 23 10:49:42 ********* sshd[15806]: Failed password for root from 
>>81.208.32.170 port 1354 ssh2
>>    
>>
>
>As you have already realized, it is generally not safe to allow ssh
>access for root.  In fact, Fedora by default does not allow root to have
>ssh access.
>
>I recently set up a nifty utility on an FC4 server called sshdfilter.
>It allows at most 3 guesses of a password for a valid user before
>blocking, and only one try with an invalid name or without the ssh id.
>It does require that you have iptables running to do its job.
>
>I got the tool and instructions here.
>http://www.csc.liv.ac.uk/~greg/sshdfilter/
>It was extremely easy to set up using the instructions for FC3 with
>slight modifications for FC4 and seems to work well.
>
>Since installing it I have gotten an average of 4 - 5 hits a day from
>the script kiddies, as compared to at times over 1000 per day before the
>filter was installed.
>
>Since I also run an ftp server I am considering a similar approach to
>blocking hacking attempts there as well.
>
>
>  
>
>>If someone can point me in the right direction what to do and what 
>>certainly not to do I would be thankful.
>>
>>    
>>
I found that making sshd on an internet facing machine only accept keys
is more secure.  You can turn off password auth in /etc/ssh/sshd_conf
with a "PassswordAuthentication no" line.  However, the attempts at your
system are not thwarted.  There are a few methods but the one that
sounds cool and I followed on the IPTables list is here:

  https://lists.netfilter.org/pipermail/netfilter/2005-June/060914.html

HTH

More information about the fedora-list mailing list