[SGVLUG] ssh protection - advice desired
Robert Leyva
mrflash818 at geophile.net
Tue Oct 18 19:12:48 PDT 2011
Following the presentation on ssh tricks, I setup an sshd server instance
on my debian workstation, using public key auth, and was able to be
successful.
I made sure to disable root login, and any password login attempts by
modifying sshd_config.
In the hour I was testing the new wonder, I was also tail-ing my auth log.
To my chagrin, in the two times I tested, I had many attempts to access my
ssh:
Oct 18 01:59:55 pip sshd[26361]: Invalid user oracle from 197.112.2.4
Oct 18 02:00:02 pip sshd[26367]: Invalid user test from 197.112.2.4
Oct 18 02:08:34 pip sshd[26596]: Invalid user test from 197.112.2.4
Oct 18 02:08:42 pip sshd[26599]: Invalid user test from 197.112.2.4
Oct 18 03:12:02 pip sshd[27000]: Invalid user oracle from 111.87.108.120
Oct 18 03:12:09 pip sshd[27003]: Invalid user test from 111.87.108.120
...
Oct 18 10:48:01 pip sshd[27953]: Invalid user peter from 184.105.177.21
Oct 18 10:48:07 pip sshd[27956]: Invalid user peter from 184.105.177.21
Oct 18 10:48:13 pip sshd[27958]: Invalid user sergei from 184.105.177.21
Oct 18 10:48:19 pip sshd[27960]: User root from 184.105.177.21 not allowed
because not listed in AllowUsers
So, I am hoping I could get advice or suggestions on what further
protections I could add (if any).
- I don't think static firewall rules would help, as I am hoping to ssh
into my box from anywhere
- I am guessing there is a way to have automation block or slowdown
attempts if they begin to seem suspicious.
Me
--
"Knowledge is Power" -- Sir Francis Bacon
Robert Leyva
mrflash818 at geophile.net
More information about the SGVLUG
mailing list