Hi, i have one centos 4.3 box, exposed to the internet. since several weeks ago, i found numerous attemps to connect through SSH, but failed. they tried with many username, including root. it's comes from different IP. some of them are foreign website. How do i make my centos become smarter in handling this kind of attacks. eventhough i've disable all the user accounts, left only the admin accounts. making the password so hard, longer and combining alphabet, numbers and characters... yet i dont want the attackers keep on trying. any suggestions? thanks in advance.
Why not change the port that the SSH daemon listens to. Change it to use an unused port > 1024 and you will see that the attempt will stop. Jens> Hi, > > i have one centos 4.3 box, exposed to the internet. > since several weeks ago, i found numerous attemps to connect through > SSH, but failed. > > they tried with many username, including root. > it's comes from different IP. some of them are foreign website. > > How do i make my centos become smarter in handling this kind of attacks. > > eventhough i've disable all the user accounts, left only the admin > accounts. making the password so hard, longer and combining alphabet, > numbers and characters... yet i dont want the attackers keep on > trying. > > any suggestions? > > thanks in advance. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >
On Feb 15, 2007, at 8:02 AM, Mohd Syakir wrote:> i have one centos 4.3 box, exposed to the internet. > since several weeks ago, i found numerous attemps to connect through > SSH, but failed. > > they tried with many username, including root. > it's comes from different IP. some of them are foreign website. > > How do i make my centos become smarter in handling this kind of > attacks.DenyHosts is very good at cutting down on these attacks: http://denyhosts.sourceforge.net/ There's a denyhosts package in rpmforge. -steve -- If this were play'd upon a stage now, I could condemn it as an improbable fiction. - Fabian, Twelfth Night
mike.redan at bell.ca
2007-Feb-15 13:20 UTC
[CentOS] Defending againts simultanious attacks
> > they tried with many username, including root. > it's comes from different IP. some of them are foreign website. > > How do i make my centos become smarter in handling this kind > of attacks. > > eventhough i've disable all the user accounts, left only the > admin accounts. making the password so hard, longer and > combining alphabet, numbers and characters... yet i dont want > the attackers keep on trying. > > any suggestions? >Just do what you are doing. Keep only essential accounts active, set strong passwords. Keep up-to-date on patches. There are tonnnes of people that will scan your machine that is connected to the internet. As another person said, you can use some scripting along with IPTables to auto-block some people..if you know exactly where you will be SSH'ing in from..setup IPTables to only allow that address to SSH in. If you are looking for something to play with..hmm..: -port knocking -two factor authentication -denyhosts script previously mentioned -just don't open SSH to the world Mike
Mohd Syakir wrote:> Hi, > > i have one centos 4.3 box, exposed to the internet. > since several weeks ago, i found numerous attemps to connect through > SSH, but failed. > > they tried with many username, including root. > it's comes from different IP. some of them are foreign website. > > How do i make my centos become smarter in handling this kind of > attacks. > > eventhough i've disable all the user accounts, left only the admin > accounts. making the password so hard, longer and combining alphabet, > numbers and characters... yet i dont want the attackers keep on > trying.Also use rate limit in iptables Search for "iptables limit ssh" for examples. Dean
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mohd Syakir wrote:> > any suggestions?I use a combination of the already mentioned DenyHosts, and also I turn off password authentication. I then generate SSH key pairs, which ensures that only machines I want connecting that have the key, can connect. With that and the DenyHosts utility, when someone offends a) they can't connect to begin with because of the keys, and b) DenyHosts adds them to a deny file and won't allow them to connect again from the offending IP. There are a number of ways to accomplish what you seek. Max -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFF1HAlHoeeepPau2ERAjV4AKDBoegJ6U9g4E/PjAcWgKhP9XgFwgCeOZzQ 7dYsvPJH+9BYsz9vShG8Jc8=4eYY -----END PGP SIGNATURE-----
Mohd Syakir spake the following on 2/15/2007 5:02 AM:> Hi, > > i have one centos 4.3 box, exposed to the internet. > since several weeks ago, i found numerous attemps to connect through > SSH, but failed. > > they tried with many username, including root. > it's comes from different IP. some of them are foreign website. > > How do i make my centos become smarter in handling this kind of attacks. > > eventhough i've disable all the user accounts, left only the admin > accounts. making the password so hard, longer and combining alphabet, > numbers and characters... yet i dont want the attackers keep on > trying. > > any suggestions? > > thanks in advance.You can try fail2ban. Atrpm's has a binary. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!!
Mohd Syakir wrote:> Hi, > > i have one centos 4.3 box, exposed to the internet. > since several weeks ago, i found numerous attemps to connect through > SSH, but failed. > > they tried with many username, including root. > it's comes from different IP. some of them are foreign website. > > How do i make my centos become smarter in handling this kind of attacks. > > eventhough i've disable all the user accounts, left only the admin > accounts. making the password so hard, longer and combining alphabet, > numbers and characters... yet i dont want the attackers keep on > trying. > > any suggestions?I don't need to connect from many places, so this helps: summer at coco:~$ grep -i ss /etc/hosts.*[wy] /etc/hosts.allow:sshd: 192.168. 203.34. 220.235. 203.59. 203.55. 203.33. 202.72. 203.15.140. 203.33 /etc/hosts.deny:sshd: ALL summer at coco:~$ In fact, it works so well I get hardly any. You can also use iptables to limit the rate at which connexions are accepted; they tend to go away when things time out. -- Cheers John -- spambait 1aaaaaaa at coco.merseine.nu Z1aaaaaaa at coco.merseine.nu Please do not reply off-list
Hello, you can let listen sshd on Port 222 for example. Edit /etc/ssh/sshd_conf In line #Port 22 Greetz Mohd Syakir wrote:> Hi, > > i have one centos 4.3 box, exposed to the internet. > since several weeks ago, i found numerous attemps to connect through > SSH, but failed. > > they tried with many username, including root. > it's comes from different IP. some of them are foreign website. > > How do i make my centos become smarter in handling this kind of attacks. > > eventhough i've disable all the user accounts, left only the admin > accounts. making the password so hard, longer and combining alphabet, > numbers and characters... yet i dont want the attackers keep on > trying. > > any suggestions? > > thanks in advance. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >