[CentOS] Ideas for stopping ssh brute force attacks
Rudi at SoftDux.com
Tue Jul 22 18:22:50 UTC 2008
lucian at lastdot.org wrote:
> On Tue, 22 Jul 2008 16:34:54 +0200
> Rudi Ahlers <Rudi at SoftDux.com> wrote:
>> Bowie Bailey wrote:
>>> Bo Lynch wrote:
>>>> just wanted to get some feedback from the community. Over the last
>>>> few days I have noticed my web server and email box have attempted
>>>> to ssh'd to using weird names like admin,appuser,nobody,etc....
>>>> None of these are valid users. I know that I can block sshd all
>>>> together with iptables but that will not work for us. I did a
>>>> little research on google and found programs like sshguard and
>>>> sshdfilter. Just wanted to know if anyone had any experience with
>>>> anything like these programs or have any other advice. I really
>>>> appreciate it.
>>> The simplest thing is to change the port. I know it's "security
>>> through obscurity", but it works well and can be used along with
>>> whatever other security enhancements you care to use.
>> By changing the ports on all our servers to a high (above 1024) port,
>> we have eliminated SSH scans altogether - been running like that for
>> a few years now without any problems.
>> I also add a small script in /etc/profile to email me when someone
>> logs in via SSH, since only a few privileged ppl should use SSH
> Interesting idea with this script thing. Can you provide more details or
> the script?
Yea, it's simple :)
echo 'SSH (localhost.localdomain) on:' `date` `who` | mail -s "Alert:
Access from `who | cut -d"(" -f2 | cut -d")" -f1`" xxxxx at yyy.com
Check out my technical blog, http://blog.softdux.com for Linux or other technical stuff
More information about the CentOS