On 13/02/06, John Merritt <jmerritt at johnlyuba.mine.nu> wrote: > Hi, > > I get ssh connect attempts all the time, to my servers at home and at > work. I've noticed lately they come from a certain ip address, hitting > every 3 or 4 seconds, trying 50 or 100 different user names and > passwords. And I get these sweeps from 2 or 3 ip addresses a day. I > guess this is an automated attempt to guess a user/pass and break into a > system. This question's popped up a fair few times in the last couple of weeks/months. I wonder, if haven't already got one, might it be worth setting up a CentOS mailing list FAQ? I think the general concensus in the past has been... * Only allow SSH v2 RSA/DSA key-based authentication and use agent forwarding (i.e. *not* passwordless private keys) * Run SSHd on a non-standard port * Disallow root logins via SSH * Only allow users that belong to a specific group to connect via SSH, typically people use the "wheel" group but a custom group is easily substituted * Use a denyhosts script or similar * If you know absolutely where all SSH connections originate from drop all other traffic on that port bar the know IP address/range As long as you at least understand the basics of how and why you're doing these things, the more layers of security you add the better. Will.