SSH intrusion attempts

Discussion in 'Tech Talk' started by frefoo, Apr 21, 2005.

  1. frefoo

    frefoo

    Messages:
    174
    Likes Received:
    0
    Joined:
    Apr 4, 2004
    Location:
    Northen VA
    All,

    I have a server (FC3) that has SSH (port 22) open to the world (only ssh is allowed) no other services are exposed.

    I get the below intrusion attempts fairly often and am wondering if anyone has any advice to help combat it.

    Apr 19 02:22:53 frefoo sshd[5617]: Failed password for root from ::ffff:211.251.166.50 port 32981 ssh2
    Apr 19 02:22:58 frefoo sshd[5619]: Failed password for root from ::ffff:211.251.166.50 port 33067 ssh2
    Apr 19 02:23:02 frefoo sshd[5621]: Failed password for root from ::ffff:211.251.166.50 port 33139 ssh2
    Apr 19 02:23:07 frefoo sshd[5623]: Failed password for root from ::ffff:211.251.166.50 port 33216 ssh2
    Apr 19 02:23:11 frefoo sshd[5625]: Failed password for root from ::ffff:211.251.166.50 port 33297 ssh2
    Apr 19 02:23:16 frefoo sshd[5627]: Failed password for root from ::ffff:211.251.166.50 port 33366 ssh2
    Apr 19 02:23:20 frefoo sshd[5629]: Failed password for root from ::ffff:211.251.166.50 port 33436 ssh2
    Apr 19 02:23:25 frefoo sshd[5631]: Failed password for root from ::ffff:211.251.166.50 port 33490 ssh2


    I am not really worried about them getting in since root is not allowed to ssh into the box.

    Thanks for your comments.

    Dave
     
  2. HerrGlock

    HerrGlock Scouts Out CLM

    Messages:
    23,804
    Likes Received:
    263
    Joined:
    Dec 28, 2000
    In your /etc/ssh/sshd_config, add a line:

    AllowUsers (your username)
    or
    AllowGroups (your group)

    and restart ssh. Then just watch and laugh.

    You do have PermitRootLogin no, I'm assuming from your post.

    You can also use iptables to restrict ssh from only known sources. You can, as well, use sshd_config to NOT allow password authentication and only allow public/private key authentication. Then no matter what they try with passwords, it won't work, even if they have your username and password.

    Then, you can *LK* the root user after you have put yourself into sudoers file and use sudo exclusively. Root can no longer log in at all ;f (of course, you have to change that back if you need to do maintenance in single user mode or something)

    DanH