John Merritt wrote:
Hi,
I get ssh connect attempts all the time, to my servers at home and at work. I've noticed lately they come from a certain ip address, hitting every 3 or 4 seconds, trying 50 or 100 different user names and passwords. And I get these sweeps from 2 or 3 ip addresses a day. I guess this is an automated attempt to guess a user/pass and break into a system.
Everything on the internet gets them all day long. I have several dedicated servers so the attacks become weary, and the only time I have ever had a security problem was a user with a guessable password.
What I do is:
Install APF on every box as the first thing I do. http://www.rfxnetworks.com/apf.php
#apf -a myownips
disallow ssh entirely with apf by leaving port 22 out of the the ingress setting.
#chkconfig apf off in the event the server hangs, I want the data center to be able to ssh to the box, so a reboot will disble apf and they will be able to access.
install bfd - http://www.rfxnetworks.com/bfd.php this will also stop the attacks on any port by banning the specifics IPs that have too many failed logins. APF is wonderful, very well thought out and powerful. It's not as flexible as a firewall such as shorewall, but I feel that is overkill to protect a single online server.