[CentOS] ssh attack

Tue Feb 14 02:20:27 UTC 2006
John Merritt <jmerritt at johnlyuba.mine.nu>

Will McDonald wrote:

>On 13/02/06, John Merritt <jmerritt at johnlyuba.mine.nu> wrote:
>>I get ssh connect attempts all the time, to my servers at home and at
>>work. I've noticed lately they come from a certain ip address, hitting
>>every 3 or 4 seconds, trying 50 or 100 different user names and
>>passwords. And I get these sweeps from 2 or 3 ip addresses a day. I
>>guess this is an automated attempt to guess a user/pass and break into a
>This question's popped up a fair few times in the last couple of
>weeks/months. I wonder, if haven't already got one, might it be worth
>setting up a CentOS mailing list FAQ?
>I think the general concensus in the past has been...
>* Only allow SSH v2 RSA/DSA key-based authentication and use agent
>forwarding (i.e. *not* passwordless private keys)
>* Run SSHd on a non-standard port
>* Disallow root logins via SSH
>* Only allow users that belong to a specific group to connect via SSH,
>typically people use the "wheel" group but a custom group is easily
>* Use a denyhosts script or similar
>* If you know absolutely where all SSH connections originate from drop
>all other traffic on that port bar the know IP address/range
>As long as you at least understand the basics of how and why you're
>doing these things, the more layers of security you add the better.
>CentOS mailing list
>CentOS at centos.org

Thanks to everyone who responded. I learned a lot today.

What I've done is moved sshd to an alternate port, and also set up 
hosts.allow and hosts.deny by daemon, to only allow sshd to connect from 
hosts of mine without blocking other services.

Now when they scan port 22 sshd appears to not be running. If they do 
guess the alternate port and try a user/pass on it, they'll get stopped 
by tcpwrappers from even trying a password.

I like the sound of AFP; I didn't install it yet. It sounds like it 
gives the appearance of port 22 being closed, only it will allow 
connections from your chosen ips. It says on the web site there are rpms 
for it, but I didn't see them.

One thing I may be amiss in though, is your number one suggestion above:

* Only allow SSH v2 RSA/DSA key-based authentication and use agent
forwarding (i.e. *not* passwordless private keys)

Right now I use passwords for some ssh connections, and passwordless ssh 
for crontab rsyncs, using passwordless rsa keys. (When it asked to enter 
a password for ssh-keygen I just hit enter). Does this leave me 
vulnerable? Is there a how-to on this that explains how to use ssh-agent 
with keys with passes?