top - ssh sessions/processes
Rick Stevens
rstevens at internap.com
Tue Feb 19 17:54:15 UTC 2008
On Sun, 2008-02-17 at 21:20 -0800, Bret Stern wrote:
> Customer just called about a Fedora 6 box with
> an active hard disk. Ran top, and found 10 - 15 ssh tasks running.
>
> This is NOT normal for the specific machine.
>
> So, in /etc/ssh/sshd_config
>
>
> I changed the listento port to 5675 and set
>
> PermitRootLogin No
> Protocol 2
> ListenAddress xx.xx.xx.xx (to an internal ip address )
>
>
> Any ideas. Hackers...Yum update
Probably classic ssh attack. I use these rules in iptables to block
that sorta thing:
# This rejects ssh attempts more than twice in 180 seconds...
# First, mark attempts as part of the "sshattack" group...
-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
# Optional: Include this line if you want to log these attacks...
-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck
--seconds 180 --hitcount 2 -j LOG --log-prefix "SSH REJECT: "
# Finally, reject the connection if more than one attempt is made in 180
seconds...
-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck
--seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset
If someone tries to ssh more than once in 3 minutes, it blocks their IP
for 3 minutes. The second rule logs these occurrances.
You can tweak the timeouts by adjusting the "--seconds" parameter and
the attempts by tweaking the "--hitcount" parameter (e.g. "--seconds
300" for five minutes instead of three minutes).
> Which log can I look at to see WATZ-UP?
/var/log/secure is the first place. Also the output of dmesg
and /var/log/messages. Make sure you don't permit root ssh access
and if they want root, force them to "sudo bash" (which also creates
a syslog entry).
----------------------------------------------------------------------
- Rick Stevens, Principal Engineer rstevens at internap.com -
- CDN Systems, Internap, Inc. http://www.internap.com -
- -
- UNIX is actually quite user friendly. The problem is that it's -
- just very picky of who its friends are! -
----------------------------------------------------------------------
More information about the Redhat-install-list
mailing list