thanks for the substantial and numerous replies I received on this ssh issue.
Thanks also to Robert Gauld for his informative VPS setup page.
I read the pages at denyhosts.net, specifically FAQ answer 1.3 on sshd configuration changes, and liked the 'PermitRootLogin no' and changed 'Port' settings (mentioned by more than a few people here at bitfolk).
Security by obscurity should do it for now.
From: Michael Corliss <michaeljcorliss@gmail.com>
To: Andy Smith <andy@bitfolk.com>
Cc: users@lists.bitfolk.com
Sent: Fri, October 8, 2010 9:24:14 PM
Subject: Re: [bitfolk] how do *you* deal with ssh attack ?
I use an RSA key for SSH and Fail2Ban with iptables for everything,
which seems to work well. I followed a setup guide created by another
Bitfolk user:
http://www.robertgauld.co.uk/omwb/2010apr~vps-setup-guideAndy Smith wrote:
> Hi Max,
>
> On Fri, Oct 08, 2010 at 11:35:14AM -0700, Max B wrote:
>
>> Hi All,
>>
>> I received several ssh attacks over the past week, and wonder how, if at all, to
>> deal with
them.
>>
> Welcome to the Internet. :)
>
> Go to:
>
>
http://lists.bitfolk.com/lurker/list/users.en.html>
> and type "ssh" after the "ml:users" in the search box at the bottom
> to see some previous discussions.
>
> Short answers:
>
> I use and recommend Fail2ban if changing SSH port is not an option.
>
>
>> Are they just script kiddies?
>>
> Mostly hosts which have already fallen to previous dictionary
> attacks and are now doing further dictionary attacks.
>
> Every couple of months a BitFolk VPS gets compromised in this manner
> and the customer only notices because our monitoring detects them
> trying to do an SSH dictionary attack.
>
>
>> One address resolves to 'server.pamperedpawsdogboutique.com', a domain
>> registered with godaddy. Do I contact godaddy? This attack did not start until
>> 7pm on a Friday...
>>
> If you want to make this your life, or if you can write a program advanced
> enough that it can automatically report this to the right people
> every time. Personally, I wouldn't bother, but I occasionally do
> receive some automated abuse reports so some people obviously do
> bother.
>
>
>> I might create a blacklist of IP addresses... for example, to filter
>> /var/log/auth.log into /etc/hosts.deny... (but that might grow too large)
>>
> Several programs to do this are covered in the archives. Fail2ban,
> denyhosts.
>
>
>> Or if I have confidence that my
passwords are secure, do I simply ignore them as
>> a fact of life?
>>
> Might be workable if you will never have users who might set weak
> passwords.
>
> Putting it on another port works well because the noise goes away
> and the users can mostly adapt without issue.
>
> Cheers,
> Andy
>
>
_______________________________________________
users mailing list
users@lists.bitfolk.comhttps://lists.bitfolk.com/mailman/listinfo/users