[CentOS] ssh attack

Mon Feb 13 23:14:24 UTC 2006
John Hinton <webmaster at ew3d.com>

John Merritt wrote:
> Hi,
>
> I get ssh connect attempts all the time, to my servers at home and at 
> work. I've noticed lately they come from a certain ip address, hitting 
> every 3 or 4 seconds, trying 50 or 100 different user names and 
> passwords. And I get these sweeps from 2 or 3 ip addresses a day. I 
> guess this is an automated attempt to guess a user/pass and break into 
> a system.
>
> I tried to secure ssh better by putting in an AllowUsers line in 
> sshd_config. Then I thought tcp wrappers and just putting in my own 
> addresses in /etc/hosts.allow would be even better, until I found out 
> that all mail to my email server would be rejected.
>
> I have 2 questions. One, is there anything you can do to stop these 
> attempts, other than not running ssh?
>
> And two, do those ssh attempts every 3 or 4 seconds slow down a box, 
> or put any strain on it?
>
> John
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
> !DSPAM:43f10f2d290541804284693!
>
Using hosts.* files.

cat hosts.allow
#
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#

sshd : 192.0.0. : allow
sshd : 192.14.89.55 : allow
sshd : localhost : allow

#   end hosts.allow

The first allows the entire class C on 192.0.0. access and
the single IP address 192.14.89.55.

Set the allowed IP addresses to your location(s). Setting these to class 
Cs, is not such a bad idea. If someone local is trying to get in, it's 
pretty easy to find out who they are... and if someone suddenly throws 
you off onto another IP... hopefully it'll still be on the same class.

and then we deny all....

cat hosts.deny
#
# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!

sshd : ALL

#    end hosts.deny

Then

/etc/init.d/sshd restart

Be sure you have it right if you are remote or you'll not be able to 
shell in. ;)

And, as stated in other emails.... it's a good idea to have another 
method for getting in, so that when you're 500 miles from home, on a 
strange network, you don't suddenly find yourself locked out during a 
major catastrophe!

Best,
John Hinton