[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSH Attacks - What to do?

To: silug-discuss@silug.org
Subject: Re: SSH Attacks - What to do?
From: Reid Burke <me@reidburke.com>
Date: Sun, 31 Jul 2005 01:28:17 -0500
In-Reply-To: <20050731012729.M10617@bruneworld.com>
Organization: Southern Illinois Linux Users Group
References: <42E7EC49.5090601@mcdonough.net> <20050731011749.GA6015@osiris.silug.org> <20050731012729.M10617@bruneworld.com>
Reply-To: silug-discuss@silug.org
Sender: silug-discuss-owner@silug.org


On Jul 30, 2005, at 8:30 PM, SILUG25 wrote:

> On Sat, 30 Jul 2005 20:17:49 -0500, Steven Pritchard wrote
>
>> On Wed, Jul 27, 2005 at 03:19:21PM -0500, Tim McDonough wrote:
>>
>>> In reviewing the logs on my Linux server I see that for today and  
>>> much
>>> of yesterday someone has a machine set up that's trying to log in
>>> every few seconds via SSH. They have had no success so far. Here's a
>>> snippet of the message log, the file is huge with these things. (The
>>> last two entries are me doing legitimate work.)
>>>
>> [...]
>>
>> I just noticed something like 55k failed login attempts on one of my
>> few systems that has sshd open to the world.  Unfortunately, I can't
>> cut off access to that system, and it would be somewhat painful to
>> disallow password authentication in general.  There seems to be
>> another alternative though:
>>
>>   PermitRootLogin without-password
>>
>> Despite how it sounds, that appears to disable password  
>> authentication
>> for root, but nobody else.
>>
>> Steve
>>
>
> In /etc/ssh/sshd_config, I use the "AllowUsers" option, like this:
>
>      AllowUsers fred, barney, wilma, betty
>
> Note that root isn't one of them.  If I need to be root, I log in  
> as "fred" and
> either use "sudo" or do an "su -".
>
> [...]
>
> Charlie

For even more security, I use AllowUsers to also restrict by IP  
address, for example:

     AllowUsers fred@10.1.1.174, fred@10.1.1.6, barney@192.168.1.*,  
wilma@61.92.211.19, betty@10.1.1.*

Using this setup, especially with /etc/hosts.allow entries, makes the  
chances of a successful attack even slimmer.

Reid Burke        | Systems Assistant, Neon Internet / SchoolCenter
me@reidburke.com  | Owner, Burke Computer Solutions
www.reidburke.com | Web Design & Consulting - www.burkecomputer.com


-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.

Next by Date: You might be a Linux geek..
Prev by thread: Re: You might be a Linux geek.. -- no joke, Linux-only girl goes
Index(es):
- Date
- Thread