[CentOS] ssh attack

Mon Feb 13 23:30:50 UTC 2006
Chris Mason (Lists) <lists at masonc.com>

John Merritt wrote:
> Hi,
> I get ssh connect attempts all the time, to my servers at home and at 
> work. I've noticed lately they come from a certain ip address, hitting 
> every 3 or 4 seconds, trying 50 or 100 different user names and 
> passwords. And I get these sweeps from 2 or 3 ip addresses a day. I 
> guess this is an automated attempt to guess a user/pass and break into 
> a system.
Everything on the internet gets them all day long. I have several 
dedicated servers so the attacks become weary, and the only time I have 
ever had a security problem was a user with a guessable password.

What I do is:

Install APF on every box as the first thing I do. 

#apf -a myownips

disallow ssh entirely with apf by leaving port 22 out of the the ingress 

#chkconfig apf off
in the event the server hangs, I want the data center to be able to ssh 
to the box, so a reboot will disble apf and they will be able to access.

install bfd - http://www.rfxnetworks.com/bfd.php
this will also stop the attacks on any port by banning the specifics IPs 
that have too many failed logins.
APF is wonderful, very well thought out and powerful. It's not as 
flexible as a firewall such as shorewall, but I feel that is overkill to 
protect a single online server.

Chris Mason
(264) 497-5670 Fax: (264) 497-8463
Int:  (305) 704-7249 Fax: (815)301-9759 UK
Cell: 264-235-5670
Yahoo IM: netconcepts_anguilla at yahoo.com 

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.