[SGVLUG] ssh protection - advice desired

Robert Peterson rlpeterson at gmail.com
Tue Oct 18 19:29:46 PDT 2011 

PLEASE REMOVE ME, THIS IS MY 2nd request.

Thanks, rlpeterson at gmail.com

On Tue, Oct 18, 2011 at 7:23 PM, Scott Packard <spackard at gmail.com> wrote:

> Look at denyhosts.pl.
> It automatically edits your hosts.deny file based on failed login attempts,
> and talks to other denyhosts users worldwide so an attack on one host
> is denied on all other participants.
> After several days you should get into a distributed database the crackers
> keep,
> which will cut down a little on traffic.  If you start running peer-to-peer
> file sharing
> on that host then you'll get a lot of new people trying to knock on your
> ssh door, and those
> people don't keep a distributed database of hosts not to try.
>
> Also, in general, you are not getting much traffic, imo.  I would routinely
> get multiple
> attempts per minute.
>
> Regards, Scott
>
>  On Tue, Oct 18, 2011 at 7:12 PM, Robert Leyva <mrflash818 at geophile.net>wrote:
>
>> Following the presentation on ssh tricks, I setup an sshd server instance
>> on my debian workstation, using public key auth, and was able to be
>> successful.
>>
>> I made sure to disable root login, and any password login attempts by
>> modifying sshd_config.
>>
>> In the hour I was testing the new wonder, I was also tail-ing my auth log.
>>
>> To my chagrin, in the two times I tested, I had many attempts to access my
>> ssh:
>>
>> Oct 18 01:59:55 pip sshd[26361]: Invalid user oracle from 197.112.2.4
>> Oct 18 02:00:02 pip sshd[26367]: Invalid user test from 197.112.2.4
>> Oct 18 02:08:34 pip sshd[26596]: Invalid user test from 197.112.2.4
>> Oct 18 02:08:42 pip sshd[26599]: Invalid user test from 197.112.2.4
>> Oct 18 03:12:02 pip sshd[27000]: Invalid user oracle from 111.87.108.120
>> Oct 18 03:12:09 pip sshd[27003]: Invalid user test from 111.87.108.120
>> ...
>> Oct 18 10:48:01 pip sshd[27953]: Invalid user peter from 184.105.177.21
>> Oct 18 10:48:07 pip sshd[27956]: Invalid user peter from 184.105.177.21
>> Oct 18 10:48:13 pip sshd[27958]: Invalid user sergei from 184.105.177.21
>> Oct 18 10:48:19 pip sshd[27960]: User root from 184.105.177.21 not allowed
>> because not listed in AllowUsers
>>
>> So, I am hoping I could get advice or suggestions on what further
>> protections I could add (if any).
>> - I don't think static firewall rules would help, as I am hoping to ssh
>> into my box from anywhere
>> - I am guessing there is a way to have automation block or slowdown
>> attempts if they begin to seem suspicious.
>>
>>
>> Me
>> --
>> "Knowledge is Power" -- Sir Francis Bacon
>>
>> Robert Leyva
>> mrflash818 at geophile.net
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.sgvlug.net/pipermail/sgvlug/attachments/20111018/e95e1093/attachment-0001.html

More information about the SGVLUG mailing list