John Merritt wrote:
Hi,
I get ssh connect attempts all the time, to my servers at home and at work. I've noticed lately they come from a certain ip address, hitting every 3 or 4 seconds, trying 50 or 100 different user names and passwords. And I get these sweeps from 2 or 3 ip addresses a day. I guess this is an automated attempt to guess a user/pass and break into a system.
I tried to secure ssh better by putting in an AllowUsers line in sshd_config. Then I thought tcp wrappers and just putting in my own addresses in /etc/hosts.allow would be even better, until I found out that all mail to my email server would be rejected.
I have 2 questions. One, is there anything you can do to stop these attempts, other than not running ssh?
And two, do those ssh attempts every 3 or 4 seconds slow down a box, or put any strain on it?
John _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
!DSPAM:43f10f2d290541804284693!
Using hosts.* files.
cat hosts.allow # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. #
sshd : 192.0.0. : allow sshd : 192.14.89.55 : allow sshd : localhost : allow
# end hosts.allow
The first allows the entire class C on 192.0.0. access and the single IP address 192.14.89.55.
Set the allowed IP addresses to your location(s). Setting these to class Cs, is not such a bad idea. If someone local is trying to get in, it's pretty easy to find out who they are... and if someone suddenly throws you off onto another IP... hopefully it'll still be on the same class.
and then we deny all....
cat hosts.deny # # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # The portmap line is redundant, but it is left to remind you that # the new secure portmap uses hosts.deny and hosts.allow. In particular # you should know that NFS uses portmap!
sshd : ALL
# end hosts.deny
Then
/etc/init.d/sshd restart
Be sure you have it right if you are remote or you'll not be able to shell in. ;)
And, as stated in other emails.... it's a good idea to have another method for getting in, so that when you're 500 miles from home, on a strange network, you don't suddenly find yourself locked out during a major catastrophe!
Best, John Hinton