On 13/02/06, John Merritt jmerritt@johnlyuba.mine.nu wrote:
Hi,
I get ssh connect attempts all the time, to my servers at home and at work. I've noticed lately they come from a certain ip address, hitting every 3 or 4 seconds, trying 50 or 100 different user names and passwords. And I get these sweeps from 2 or 3 ip addresses a day. I guess this is an automated attempt to guess a user/pass and break into a system.
This question's popped up a fair few times in the last couple of weeks/months. I wonder, if haven't already got one, might it be worth setting up a CentOS mailing list FAQ?
I think the general concensus in the past has been...
* Only allow SSH v2 RSA/DSA key-based authentication and use agent forwarding (i.e. *not* passwordless private keys) * Run SSHd on a non-standard port * Disallow root logins via SSH * Only allow users that belong to a specific group to connect via SSH, typically people use the "wheel" group but a custom group is easily substituted * Use a denyhosts script or similar * If you know absolutely where all SSH connections originate from drop all other traffic on that port bar the know IP address/range
As long as you at least understand the basics of how and why you're doing these things, the more layers of security you add the better.
Will.