[CentOS] Ideas for stopping ssh brute force attacks
Robert Moskowitz
rgm at htt-consult.com
Tue Jul 22 21:24:56 UTC 2008
Rudi Ahlers wrote:
> lucian at lastdot.org wrote:
>> On Tue, 22 Jul 2008 16:34:54 +0200
>> Rudi Ahlers <Rudi at SoftDux.com> wrote:
>>
>>> Bowie Bailey wrote:
>>>> Bo Lynch wrote:
>>>>> just wanted to get some feedback from the community. Over the last
>>>>> few days I have noticed my web server and email box have attempted
>>>>> to ssh'd to using weird names like admin,appuser,nobody,etc....
>>>>> None of these are valid users. I know that I can block sshd all
>>>>> together with iptables but that will not work for us. I did a
>>>>> little research on google and found programs like sshguard and
>>>>> sshdfilter. Just wanted to know if anyone had any experience with
>>>>> anything like these programs or have any other advice. I really
>>>>> appreciate it.
>>>> The simplest thing is to change the port. I know it's "security
>>>> through obscurity", but it works well and can be used along with
>>>> whatever other security enhancements you care to use.
>>>>
>>> By changing the ports on all our servers to a high (above 1024) port,
>>> we have eliminated SSH scans altogether - been running like that for
>>> a few years now without any problems.
>>>
>>> I also add a small script in /etc/profile to email me when someone
>>> logs in via SSH, since only a few privileged ppl should use SSH
>>> altogether
>>>
>>
>> Interesting idea with this script thing. Can you provide more details or
>> the script?
>> _______________________________________________
> Yea, it's simple :)
>
>
>
> echo 'SSH (localhost.localdomain) on:' `date` `who` | mail -s "Alert:
> Access from `who | cut -d"(" -f2 | cut -d")" -f1`" xxxxx at yyy.com
>
OK. A chance to learn some more for me.
Is there a 'best' placement for this script in /etc/profile? Is
localhost.localdomain a placeholder here for foo.bar.com?
More information about the CentOS
mailing list