[CentOS] Ideas for stopping ssh brute force attacks

Tue Jul 22 18:22:50 UTC 2008
Rudi Ahlers <Rudi at SoftDux.com>

lucian at lastdot.org wrote:
> On Tue, 22 Jul 2008 16:34:54 +0200
> Rudi Ahlers <Rudi at SoftDux.com> wrote:
>
>   
>> Bowie Bailey wrote:
>>     
>>> Bo Lynch wrote:
>>>   
>>>       
>>>> just wanted to get some feedback from the community. Over the last
>>>> few days I have noticed my web server and email box have attempted
>>>> to ssh'd to using weird names like admin,appuser,nobody,etc....
>>>> None of these are valid users. I know that I can block sshd all
>>>> together with iptables but that will not work for us. I did a
>>>> little research on google and found programs like sshguard and
>>>> sshdfilter. Just wanted to know if anyone had any experience with
>>>> anything like these programs or have any other advice. I really
>>>> appreciate it. 
>>>>         
>>> The simplest thing is to change the port.  I know it's "security
>>> through obscurity", but it works well and can be used along with
>>> whatever other security enhancements you care to use.
>>>
>>>   
>>>       
>> By changing the ports on all our servers to a high (above 1024) port,
>> we have eliminated SSH scans altogether - been running like that for
>> a few years now without any problems.
>>
>> I also add a small script in /etc/profile to email me when someone
>> logs in via SSH, since only a few privileged ppl should use SSH
>> altogether
>>
>>     
>
> Interesting idea with this script thing. Can you provide more details or
> the script?
> _______________________________________________
>   
Yea, it's simple :)



echo 'SSH (localhost.localdomain) on:' `date` `who` | mail -s "Alert: 
Access from `who | cut -d"(" -f2 | cut -d")" -f1`" xxxxx at yyy.com



-- 

Kind Regards
Rudi Ahlers

Check out my technical blog, http://blog.softdux.com for Linux or other technical stuff