8 Oct
2010
8 Oct
'10
7:41 p.m.
Hi Max,
On Fri, Oct 08, 2010 at 11:35:14AM -0700, Max B wrote:
Hi All,
I received several ssh attacks over the past week, and wonder how, if at all, to
deal with them.
Welcome to the Internet. :)
Go to:
http://lists.bitfolk.com/lurker/list/users.en.html
and type "ssh" after the "ml:users" in the search box at the bottom
to see some previous discussions.
Short answers:
I use and recommend Fail2ban if changing SSH port is not an option.
Are they just script kiddies?
Mostly hosts which have already fallen to previous dictionary
attacks and are now doing further dictionary attacks.
Every couple of months a BitFolk VPS gets compromised in this manner
and the customer only notices because our monitoring detects them
trying to do an SSH dictionary attack.
One address resolves to
'server.pamperedpawsdogboutique.com', a domain
registered with godaddy. Do I contact godaddy? This attack did not start until
7pm on a Friday...
If you want to make this your life, or if you can write a program advanced
enough that it can automatically report this to the right people
every time. Personally, I wouldn't bother, but I occasionally do
receive some automated abuse reports so some people obviously do
bother.
I might create a blacklist of IP addresses... for
example, to filter
/var/log/auth.log into /etc/hosts.deny... (but that might grow too large)
Several programs to do this are covered in the archives. Fail2ban,
denyhosts.
Or if I have confidence that my passwords are secure,
do I simply ignore them as
a fact of life?
Might be workable if you will never have users who might set weak
passwords.
Putting it on another port works well because the noise goes away
and the users can mostly adapt without issue.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting