[CentOS] ssh attack

Mon Feb 13 23:55:13 UTC 2006
James Fidell <james at cloud9.co.uk>

Quoting John Merritt (jmerritt at johnlyuba.mine.nu):
> I get ssh connect attempts all the time, to my servers at home and at 
> work. I've noticed lately they come from a certain ip address, hitting 
> every 3 or 4 seconds, trying 50 or 100 different user names and 
> passwords. And I get these sweeps from 2 or 3 ip addresses a day. I 
> guess this is an automated attempt to guess a user/pass and break into a 
> system.
> I tried to secure ssh better by putting in an AllowUsers line in 
> sshd_config. Then I thought tcp wrappers and just putting in my own 
> addresses in /etc/hosts.allow would be even better, until I found out 
> that all mail to my email server would be rejected.
> I have 2 questions. One, is there anything you can do to stop these 
> attempts, other than not running ssh?

As others have said, one option is to use port knocking.  You could also
stop using passwords altogether.  Alternatively you could firewall sources
of repeated login attempts using iptables.  I've been looking at


only this afternoon.

Sounds like you've got your hosts.allow config wrong, but others appear
to have dealt with that already.

My preference would be to firewall rather than block in hosts.[allow|deny],
purely because you get rid of the unwanted traffic as early as possible.

> And two, do those ssh attempts every 3 or 4 seconds slow down a box, or 
> put any strain on it?

I don't think it's any significant extra load.  However, if you start to
get large numbers of them then I guess it's possible that sshd may stop
responding at times.