Will McDonald wrote:
On 13/02/06, John Merritt jmerritt@johnlyuba.mine.nu wrote:
Hi,
I get ssh connect attempts all the time, to my servers at home and at work. I've noticed lately they come from a certain ip address, hitting every 3 or 4 seconds, trying 50 or 100 different user names and passwords. And I get these sweeps from 2 or 3 ip addresses a day. I guess this is an automated attempt to guess a user/pass and break into a system.
This question's popped up a fair few times in the last couple of weeks/months. I wonder, if haven't already got one, might it be worth setting up a CentOS mailing list FAQ?
I think the general concensus in the past has been...
- Only allow SSH v2 RSA/DSA key-based authentication and use agent
forwarding (i.e. *not* passwordless private keys)
- Run SSHd on a non-standard port
- Disallow root logins via SSH
- Only allow users that belong to a specific group to connect via SSH,
typically people use the "wheel" group but a custom group is easily substituted
- Use a denyhosts script or similar
- If you know absolutely where all SSH connections originate from drop
all other traffic on that port bar the know IP address/range
As long as you at least understand the basics of how and why you're doing these things, the more layers of security you add the better.
Will. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hi,
Thanks to everyone who responded. I learned a lot today.
What I've done is moved sshd to an alternate port, and also set up hosts.allow and hosts.deny by daemon, to only allow sshd to connect from hosts of mine without blocking other services.
Now when they scan port 22 sshd appears to not be running. If they do guess the alternate port and try a user/pass on it, they'll get stopped by tcpwrappers from even trying a password.
I like the sound of AFP; I didn't install it yet. It sounds like it gives the appearance of port 22 being closed, only it will allow connections from your chosen ips. It says on the web site there are rpms for it, but I didn't see them.
One thing I may be amiss in though, is your number one suggestion above:
* Only allow SSH v2 RSA/DSA key-based authentication and use agent forwarding (i.e. *not* passwordless private keys)
Right now I use passwords for some ssh connections, and passwordless ssh for crontab rsyncs, using passwordless rsa keys. (When it asked to enter a password for ssh-keygen I just hit enter). Does this leave me vulnerable? Is there a how-to on this that explains how to use ssh-agent with keys with passes?
Thanks, John
John