SSH hank attempts… bad?
fungus at aros.net
Wed Apr 12 11:28:25 MDT 2006
Justin Findlay wrote:
> On 4/11/06, Wade Preston Shearer <lists at wadeshearer.com> wrote:
>> My server can get up ~12,000  failed log in attempts recorded in
>> my server's logs in one day. How much of a concern should this be? I
>> am aware of restricting shell access to certain IPs. Will that
>> restrict the handshake or will I still see the attempts in my logs?
>> Are there any ways to restrict the attempts?
> What I've done: 1. Change ssh port to a random non privileged, non
> used port. 2. Use good passwords. 3. Install DenyHosts and change
> the default "protective" settings to "brutally unforgiving" as in
> after 5 tries at a password on any account real or fantastic, that
> host is denied all services for forever.
The simplest thing you can do to reduce the failed log in attempts is to
move ssh to another port. That is not the only thing you should do though.
As previously suggested, add several security layers to it.
Note: some suggestions cause more pain to good people than to the bad
1. Limit connecting to ssh from certain IPs or netblocks.
b. tcpwrappers (hosts.allow/hosts.deny)
c. or other.
2. Hide ssh
a. move to another port
3. Limit authentication methods
a. AllowGroups or AllowUsers see man 5 sshd_config
b. PermitRootLogin no
c. PasswordAuthentication no
Note: ChallengeResponseAuthentictation should be disabled too if
PAM is enabled.
4. Watch log entries
a. Use an automated log watcher to block repeated failures
b. Use logwatch or similar to alert you to important entries
5. Once authenticated limit abilities
a. For system accounts - verfiy shell is false, nologin, or similar
b. For real accounts
1. Enforce good passwords
2. Careful with sudo and su abilities.
c. Keep system up to date to avoid privilege escalation
Each option has its merits and drawbacks, carefully evaluate and
implement the steps that fit well in your situation.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3589 bytes
Desc: S/MIME Cryptographic Signature
Url : http://plug.org/pipermail/plug/attachments/20060412/68a1403a/attachment.bin
More information about the PLUG