[CentOS] ssh attack
Will McDonald
wmcdonald at gmail.com
Tue Feb 14 00:19:14 UTC 2006
On 13/02/06, John Merritt <jmerritt at johnlyuba.mine.nu> wrote:
> Hi,
>
> I get ssh connect attempts all the time, to my servers at home and at
> work. I've noticed lately they come from a certain ip address, hitting
> every 3 or 4 seconds, trying 50 or 100 different user names and
> passwords. And I get these sweeps from 2 or 3 ip addresses a day. I
> guess this is an automated attempt to guess a user/pass and break into a
> system.
This question's popped up a fair few times in the last couple of
weeks/months. I wonder, if haven't already got one, might it be worth
setting up a CentOS mailing list FAQ?
I think the general concensus in the past has been...
* Only allow SSH v2 RSA/DSA key-based authentication and use agent
forwarding (i.e. *not* passwordless private keys)
* Run SSHd on a non-standard port
* Disallow root logins via SSH
* Only allow users that belong to a specific group to connect via SSH,
typically people use the "wheel" group but a custom group is easily
substituted
* Use a denyhosts script or similar
* If you know absolutely where all SSH connections originate from drop
all other traffic on that port bar the know IP address/range
As long as you at least understand the basics of how and why you're
doing these things, the more layers of security you add the better.
Will.
More information about the CentOS
mailing list