[CentOS] Ideas for stopping ssh brute force attacks

Robert Moskowitz rgm at htt-consult.com
Tue Jul 22 21:24:56 UTC 2008

Rudi Ahlers wrote:
> lucian at lastdot.org wrote:
>> On Tue, 22 Jul 2008 16:34:54 +0200
>> Rudi Ahlers <Rudi at SoftDux.com> wrote:
>>> Bowie Bailey wrote:
>>>> Bo Lynch wrote:
>>>>> just wanted to get some feedback from the community. Over the last
>>>>> few days I have noticed my web server and email box have attempted
>>>>> to ssh'd to using weird names like admin,appuser,nobody,etc....
>>>>> None of these are valid users. I know that I can block sshd all
>>>>> together with iptables but that will not work for us. I did a
>>>>> little research on google and found programs like sshguard and
>>>>> sshdfilter. Just wanted to know if anyone had any experience with
>>>>> anything like these programs or have any other advice. I really
>>>>> appreciate it. 
>>>> The simplest thing is to change the port. I know it's "security
>>>> through obscurity", but it works well and can be used along with
>>>> whatever other security enhancements you care to use.
>>> By changing the ports on all our servers to a high (above 1024) port,
>>> we have eliminated SSH scans altogether - been running like that for
>>> a few years now without any problems.
>>> I also add a small script in /etc/profile to email me when someone
>>> logs in via SSH, since only a few privileged ppl should use SSH
>>> altogether
>> Interesting idea with this script thing. Can you provide more details or
>> the script?
>> _______________________________________________
> Yea, it's simple :)
> echo 'SSH (localhost.localdomain) on:' `date` `who` | mail -s "Alert: 
> Access from `who | cut -d"(" -f2 | cut -d")" -f1`" xxxxx at yyy.com
OK. A chance to learn some more for me.

Is there a 'best' placement for this script in /etc/profile? Is 
localhost.localdomain a placeholder here for foo.bar.com?

More information about the CentOS mailing list