[SGVLUG] ssh protection - advice desired

Scott Packard spackard at gmail.com
Tue Oct 18 19:23:10 PDT 2011 

Look at denyhosts.pl.
It automatically edits your hosts.deny file based on failed login attempts,
and talks to other denyhosts users worldwide so an attack on one host
is denied on all other participants.
After several days you should get into a distributed database the crackers
keep,
which will cut down a little on traffic.  If you start running peer-to-peer
file sharing
on that host then you'll get a lot of new people trying to knock on your ssh
door, and those
people don't keep a distributed database of hosts not to try.

Also, in general, you are not getting much traffic, imo.  I would routinely
get multiple
attempts per minute.

Regards, Scott

On Tue, Oct 18, 2011 at 7:12 PM, Robert Leyva <mrflash818 at geophile.net>wrote:

> Following the presentation on ssh tricks, I setup an sshd server instance
> on my debian workstation, using public key auth, and was able to be
> successful.
>
> I made sure to disable root login, and any password login attempts by
> modifying sshd_config.
>
> In the hour I was testing the new wonder, I was also tail-ing my auth log.
>
> To my chagrin, in the two times I tested, I had many attempts to access my
> ssh:
>
> Oct 18 01:59:55 pip sshd[26361]: Invalid user oracle from 197.112.2.4
> Oct 18 02:00:02 pip sshd[26367]: Invalid user test from 197.112.2.4
> Oct 18 02:08:34 pip sshd[26596]: Invalid user test from 197.112.2.4
> Oct 18 02:08:42 pip sshd[26599]: Invalid user test from 197.112.2.4
> Oct 18 03:12:02 pip sshd[27000]: Invalid user oracle from 111.87.108.120
> Oct 18 03:12:09 pip sshd[27003]: Invalid user test from 111.87.108.120
> ...
> Oct 18 10:48:01 pip sshd[27953]: Invalid user peter from 184.105.177.21
> Oct 18 10:48:07 pip sshd[27956]: Invalid user peter from 184.105.177.21
> Oct 18 10:48:13 pip sshd[27958]: Invalid user sergei from 184.105.177.21
> Oct 18 10:48:19 pip sshd[27960]: User root from 184.105.177.21 not allowed
> because not listed in AllowUsers
>
> So, I am hoping I could get advice or suggestions on what further
> protections I could add (if any).
> - I don't think static firewall rules would help, as I am hoping to ssh
> into my box from anywhere
> - I am guessing there is a way to have automation block or slowdown
> attempts if they begin to seem suspicious.
>
>
> Me
> --
> "Knowledge is Power" -- Sir Francis Bacon
>
> Robert Leyva
> mrflash818 at geophile.net
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.sgvlug.net/pipermail/sgvlug/attachments/20111018/736fa7c5/attachment.html

More information about the SGVLUG mailing list