Will McDonald wrote: >On 13/02/06, John Merritt <jmerritt@xxxxxxxxxxxxxxxxx> wrote: > > >>Hi, >> >>I get ssh connect attempts all the time, to my servers at home and at >>work. I've noticed lately they come from a certain ip address, hitting >>every 3 or 4 seconds, trying 50 or 100 different user names and >>passwords. And I get these sweeps from 2 or 3 ip addresses a day. I >>guess this is an automated attempt to guess a user/pass and break into a >>system. >> >> > >This question's popped up a fair few times in the last couple of >weeks/months. I wonder, if haven't already got one, might it be worth >setting up a CentOS mailing list FAQ? > >I think the general concensus in the past has been... > >* Only allow SSH v2 RSA/DSA key-based authentication and use agent >forwarding (i.e. *not* passwordless private keys) >* Run SSHd on a non-standard port >* Disallow root logins via SSH >* Only allow users that belong to a specific group to connect via SSH, >typically people use the "wheel" group but a custom group is easily >substituted >* Use a denyhosts script or similar >* If you know absolutely where all SSH connections originate from drop >all other traffic on that port bar the know IP address/range > >As long as you at least understand the basics of how and why you're >doing these things, the more layers of security you add the better. > >Will. >_______________________________________________ >CentOS mailing list >CentOS@xxxxxxxxxx >http://lists.centos.org/mailman/listinfo/centos > > > Hi, Thanks to everyone who responded. I learned a lot today. What I've done is moved sshd to an alternate port, and also set up hosts.allow and hosts.deny by daemon, to only allow sshd to connect from hosts of mine without blocking other services. Now when they scan port 22 sshd appears to not be running. If they do guess the alternate port and try a user/pass on it, they'll get stopped by tcpwrappers from even trying a password. I like the sound of AFP; I didn't install it yet. It sounds like it gives the appearance of port 22 being closed, only it will allow connections from your chosen ips. It says on the web site there are rpms for it, but I didn't see them. One thing I may be amiss in though, is your number one suggestion above: * Only allow SSH v2 RSA/DSA key-based authentication and use agent forwarding (i.e. *not* passwordless private keys) Right now I use passwords for some ssh connections, and passwordless ssh for crontab rsyncs, using passwordless rsa keys. (When it asked to enter a password for ssh-keygen I just hit enter). Does this leave me vulnerable? Is there a how-to on this that explains how to use ssh-agent with keys with passes? Thanks, John John