[SGVLUG] ssh protection - advice desired

[Sean O'Donnell]

Running a public facing ssh server on port 22 is like hosting a honeypot for rogue brute force bots.

If you can run on a non-standard port, you will see much less, if any, failed brute force attempts.

Sent from my iPhone w/ love.

On Oct 18, 2011, at 7:12 PM, "Robert Leyva" <mrflash818 at geophile.net> wrote:

> Following the presentation on ssh tricks, I setup an sshd server instance
> on my debian workstation, using public key auth, and was able to be
> successful.
> 
> I made sure to disable root login, and any password login attempts by
> modifying sshd_config.
> 
> In the hour I was testing the new wonder, I was also tail-ing my auth log.
> 
> To my chagrin, in the two times I tested, I had many attempts to access my
> ssh:
> 
> Oct 18 01:59:55 pip sshd[26361]: Invalid user oracle from 197.112.2.4
> Oct 18 02:00:02 pip sshd[26367]: Invalid user test from 197.112.2.4
> Oct 18 02:08:34 pip sshd[26596]: Invalid user test from 197.112.2.4
> Oct 18 02:08:42 pip sshd[26599]: Invalid user test from 197.112.2.4
> Oct 18 03:12:02 pip sshd[27000]: Invalid user oracle from 111.87.108.120
> Oct 18 03:12:09 pip sshd[27003]: Invalid user test from 111.87.108.120
> ...
> Oct 18 10:48:01 pip sshd[27953]: Invalid user peter from 184.105.177.21
> Oct 18 10:48:07 pip sshd[27956]: Invalid user peter from 184.105.177.21
> Oct 18 10:48:13 pip sshd[27958]: Invalid user sergei from 184.105.177.21
> Oct 18 10:48:19 pip sshd[27960]: User root from 184.105.177.21 not allowed
> because not listed in AllowUsers
> 
> So, I am hoping I could get advice or suggestions on what further
> protections I could add (if any).
> - I don't think static firewall rules would help, as I am hoping to ssh
> into my box from anywhere
> - I am guessing there is a way to have automation block or slowdown
> attempts if they begin to seem suspicious.
> 
> 
> Me
> -- 
> "Knowledge is Power" -- Sir Francis Bacon
> 
> Robert Leyva
> mrflash818 at geophile.net
> 
>