14 Mar
2010
14 Mar
'10
9:52 a.m.
Hi Andy,
On Sun, March 14, 2010 8:51 am, Andy Smith wrote:
This very long email is about possible pro-active
measures I could take
to prevent customers being compromised by SSH dictionary attacks.
Apt timing for me - I've only just joined and noticed in my logs that from
the very first day of my VPS going live I was receiving 500 login attempts
per hour (not from another Bitfolk customer however).
5) Install DenyHosts or Fail2Ban.
I think this approach would be a good start, although note that neither of
those support IPv6 so for those that have it enabled they'd turn a blind
eye to such connections. SSHguard (http://www.sshguard.net) claims to
support it however I've not used it personally.
(3) is already the case for Ubuntu of course, but not
any of the other
distributions offered. I haven't kept track of how many compromises have
been of root and not some other user but disabling root access by SSH and
requiring some other username seems a reasonable starting point, would at
least limit the damage.
My Ubuntu memories are somewhat hazy however is it not the case that with
the default setup the first user is made part of the admin group? Hence,
if their password is compromised an attacker also has full superuser
rights through sudo... The attacker does of course have to be hitting the
right username so there is still some mitigation however.
Mathew