[CentOS] Entries in /var/log/messages

Mon Aug 22 01:45:22 UTC 2005
Jeffrey Means <meaje at meanspc.com>

CentOS mailing list <centos at centos.org> wrote: 
> On Sun, 2005-08-21 at 21:09, Jeffrey Means wrote:
> > One other method I have sucessfully used / am using is to change the port
number
> > of the service being attacked.  If we are talking about ssh this can be done
in
> > the /etc/ssh/sshd_config file by changing / adding a Port xxxx line to the
file.
> > 
> > I hope this helps you it has drastically decreased the number of people
trying
> > to break down my front door.
> > --Jeff Means
> > MeansPC - Custom Web Development for your needs.
> > 
> > CentOS mailing list <centos at centos.org> wrote: 
> > > On Sun, 2005-08-21 at 17:03 -0500, Jerry Geis wrote:
> > > > I have quite a few entries in /var/log/messages for connection attempts.

> > > > Is there anything other
> > > > than ignoring them I can do? Example is below.
> > > > 
> > > 
> > > There are a number of scripts (some Perl, some Python) out there to
> > > monitor the log and add an entry in hosts.deny to block any further
> > > attempts from the offending IP when too many failed password attempts
> > > are noted.  You can find them with some "googling".
> > > 
> > > I am using a modified one to stop these breakin attempts on my servers.
> > > 
> > > > Aug 21 15:48:19 machine sshd(pam_unix)[17903]: check pass; user unknown
> > > > Aug 21 15:48:19 machine sshd(pam_unix)[17903]: authentication failure; 
> > > > logname= uid=0 euid=0 tty=ssh ruser=
> > > > rhost=wsip-24-234-149-156.lv.lv.cox.net
> > > 
> 
> It is good to know that this type of attack against ssh is generally
> automated.  Most likely run by script kiddies looking for a system with
> poor passwords or default passwords on that service.  
> 
> If you take the actions others have already posted you should be in good
> shape.  Just make sure you use non-trivial passwords, limit which users
> are allowed to login into ssh, and if you want to eliminate this type of
> traffic in your log files use a different port.  It is important to
> realize that changing the port number is not a security measure.  Any
> good hacker will scan your system and find it.  But it does prevent
> these automated scripts from finding your system for the most part.
> 
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
This is a very good point as a rule I only allow PKCS (public key) logins from
offsite so I have little to worry about this particular issue, again this is a
line item chage you can make in the sshd_config file.  I am running two sshd
servers one for internal access wich does run on port 22 but is firewalled from
the outside and one on port xxxx wich only allows connections with PKCS auth. 
If you want a copy of my sshd startup script wich starts daemons for all the
files ending in .config contained in the /etc/ssh/ directory let me know and
I'll gladly make that available.  Using PKCS it makes it really hard to break a
password that is over 256 characters, has builtin validity tests and travels
nicely on a usb key (even old small ones which makes this very inexpensive to
implement even for a medium to large business.)

Note to the wise: Be sure to password protect the keys issued for if they fall
into the wrong hands you just gave away the keys to your server / network.
-- 
-- 
Jeffrey D. Means                                   meaje at meanspc.com
Owner / CIO for MeansPC                       http://www.meanspc.com/
Custom Web Development For Your Needs.                 (970)308-1298

 - The stupidity of a stupid person is exercised in a restricted
field; the stupidity of an intelligent individual has a much broader
diffusion, and far greater effect, aided  as it is by the element
of surprise.