[CentOS] ssh attack

Tue Feb 14 00:19:14 UTC 2006
Will McDonald <wmcdonald at gmail.com>

On 13/02/06, John Merritt <jmerritt at johnlyuba.mine.nu> wrote:
> Hi,
> I get ssh connect attempts all the time, to my servers at home and at
> work. I've noticed lately they come from a certain ip address, hitting
> every 3 or 4 seconds, trying 50 or 100 different user names and
> passwords. And I get these sweeps from 2 or 3 ip addresses a day. I
> guess this is an automated attempt to guess a user/pass and break into a
> system.

This question's popped up a fair few times in the last couple of
weeks/months. I wonder, if haven't already got one, might it be worth
setting up a CentOS mailing list FAQ?

I think the general concensus in the past has been...

* Only allow SSH v2 RSA/DSA key-based authentication and use agent
forwarding (i.e. *not* passwordless private keys)
* Run SSHd on a non-standard port
* Disallow root logins via SSH
* Only allow users that belong to a specific group to connect via SSH,
typically people use the "wheel" group but a custom group is easily
* Use a denyhosts script or similar
* If you know absolutely where all SSH connections originate from drop
all other traffic on that port bar the know IP address/range

As long as you at least understand the basics of how and why you're
doing these things, the more layers of security you add the better.