<span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; background-color: rgb(255, 255, 255); ">PLEASE REMOVE ME, THIS IS MY 2nd request.<div><br>Thanks, <a href="mailto:rlpeterson@gmail.com" target="_blank" style="color: rgb(0, 0, 204); ">rlpeterson@gmail.com</a></div>
</span><br><div class="gmail_quote">On Tue, Oct 18, 2011 at 7:23 PM, Scott Packard <span dir="ltr"><<a href="mailto:spackard@gmail.com">spackard@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Look at <a href="http://denyhosts.pl" target="_blank">denyhosts.pl</a>.<br>It automatically edits your hosts.deny file based on failed login attempts,<br>and talks to other denyhosts users worldwide so an attack on one host<br>
is denied on all other participants.<br>
After several days you should get into a distributed database the crackers keep,<br>which will cut down a little on traffic. If you start running peer-to-peer file sharing<br>on that host then you'll get a lot of new people trying to knock on your ssh door, and those<br>
people don't keep a distributed database of hosts not to try.<br><br>Also, in general, you are not getting much traffic, imo. I would routinely get multiple <br>attempts per minute.<br><br>Regards, Scott<br><br><div class="gmail_quote">
<div class="im">
On Tue, Oct 18, 2011 at 7:12 PM, Robert Leyva <span dir="ltr"><<a href="mailto:mrflash818@geophile.net" target="_blank">mrflash818@geophile.net</a>></span> wrote:<br></div><div><div></div><div class="h5"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Following the presentation on ssh tricks, I setup an sshd server instance<br>
on my debian workstation, using public key auth, and was able to be<br>
successful.<br>
<br>
I made sure to disable root login, and any password login attempts by<br>
modifying sshd_config.<br>
<br>
In the hour I was testing the new wonder, I was also tail-ing my auth log.<br>
<br>
To my chagrin, in the two times I tested, I had many attempts to access my<br>
ssh:<br>
<br>
Oct 18 01:59:55 pip sshd[26361]: Invalid user oracle from 197.112.2.4<br>
Oct 18 02:00:02 pip sshd[26367]: Invalid user test from 197.112.2.4<br>
Oct 18 02:08:34 pip sshd[26596]: Invalid user test from 197.112.2.4<br>
Oct 18 02:08:42 pip sshd[26599]: Invalid user test from 197.112.2.4<br>
Oct 18 03:12:02 pip sshd[27000]: Invalid user oracle from 111.87.108.120<br>
Oct 18 03:12:09 pip sshd[27003]: Invalid user test from 111.87.108.120<br>
...<br>
Oct 18 10:48:01 pip sshd[27953]: Invalid user peter from 184.105.177.21<br>
Oct 18 10:48:07 pip sshd[27956]: Invalid user peter from 184.105.177.21<br>
Oct 18 10:48:13 pip sshd[27958]: Invalid user sergei from 184.105.177.21<br>
Oct 18 10:48:19 pip sshd[27960]: User root from 184.105.177.21 not allowed<br>
because not listed in AllowUsers<br>
<br>
So, I am hoping I could get advice or suggestions on what further<br>
protections I could add (if any).<br>
- I don't think static firewall rules would help, as I am hoping to ssh<br>
into my box from anywhere<br>
- I am guessing there is a way to have automation block or slowdown<br>
attempts if they begin to seem suspicious.<br>
<br>
<br>
Me<br>
<font color="#888888">--<br>
"Knowledge is Power" -- Sir Francis Bacon<br>
<br>
Robert Leyva<br>
<a href="mailto:mrflash818@geophile.net" target="_blank">mrflash818@geophile.net</a><br>
<br>
<br>
</font></blockquote></div></div></div><br>
</blockquote></div><br>