ssh attack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 13/02/06, John Merritt <jmerritt@xxxxxxxxxxxxxxxxx> wrote:
> Hi,
>
> I get ssh connect attempts all the time, to my servers at home and at
> work. I've noticed lately they come from a certain ip address, hitting
> every 3 or 4 seconds, trying 50 or 100 different user names and
> passwords. And I get these sweeps from 2 or 3 ip addresses a day. I
> guess this is an automated attempt to guess a user/pass and break into a
> system.

This question's popped up a fair few times in the last couple of
weeks/months. I wonder, if haven't already got one, might it be worth
setting up a CentOS mailing list FAQ?

I think the general concensus in the past has been...

* Only allow SSH v2 RSA/DSA key-based authentication and use agent
forwarding (i.e. *not* passwordless private keys)
* Run SSHd on a non-standard port
* Disallow root logins via SSH
* Only allow users that belong to a specific group to connect via SSH,
typically people use the "wheel" group but a custom group is easily
substituted
* Use a denyhosts script or similar
* If you know absolutely where all SSH connections originate from drop
all other traffic on that port bar the know IP address/range

As long as you at least understand the basics of how and why you're
doing these things, the more layers of security you add the better.

Will.

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux