8 Oct
2010
8 Oct
'10
9:19 p.m.
Hi All,
thanks for the substantial and numerous replies I received on this ssh issue.
Thanks also to Robert Gauld for his informative VPS setup page.
I read the pages at denyhosts.net, specifically FAQ answer 1.3 on sshd
configuration changes, and liked the 'PermitRootLogin no' and changed
'Port'
settings (mentioned by more than a few people here at bitfolk).
Security by obscurity should do it for now.
Cheers,
Max
________________________________
From: Michael Corliss <michaeljcorliss(a)gmail.com>
To: Andy Smith <andy(a)bitfolk.com>
Cc: users(a)lists.bitfolk.com
Sent: Fri, October 8, 2010 9:24:14 PM
Subject: Re: [bitfolk] how do *you* deal with ssh attack ?
I use an RSA key for SSH and Fail2Ban with iptables for everything,
which seems to work well. I followed a setup guide created by another
Bitfolk user: http://www.robertgauld.co.uk/omwb/2010apr~vps-setup-guide
Andy Smith wrote:
Hi Max,
On Fri, Oct 08, 2010 at 11:35:14AM -0700, Max B wrote:
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
Hi All,
I received several ssh attacks over the past week, and wonder how, if at all,
to
deal with them.
Welcome to the Internet. :)
Go to:
http://lists.bitfolk.com/lurker/list/users.en.html
and type "ssh" after the "ml:users" in the search box at the bottom
to see some previous discussions.
Short answers:
I use and recommend Fail2ban if changing SSH port is not an option.
Are they just script kiddies?
Mostly hosts which have already fallen to previous dictionary
attacks and are now doing further dictionary attacks.
Every couple of months a BitFolk VPS gets compromised in this manner
and the customer only notices because our monitoring detects them
trying to do an SSH dictionary attack.
One address resolves to
'server.pamperedpawsdogboutique.com', a domain
registered with godaddy. Do I contact godaddy? This attack did not start
until
7pm on a Friday...
If you want to make this your life, or if you can write a program advanced
enough that it can automatically report this to the right people
every time. Personally, I wouldn't bother, but I occasionally do
receive some automated abuse reports so some people obviously do
bother.
I might create a blacklist of IP addresses... for
example, to filter
/var/log/auth.log into /etc/hosts.deny... (but that might grow too large)
Several programs to do this are covered in the archives. Fail2ban,
denyhosts.
Or if I have confidence that my passwords are
secure, do I simply ignore them
as
a fact of life?
Might be workable if you will never have users who might set weak
passwords.
Putting it on another port works well because the noise goes away
and the users can mostly adapt without issue.
Cheers,
Andy