[CentOS] Ideas for stopping ssh brute force attacks

Tue Jul 22 21:29:05 UTC 2008
Rudi Ahlers <Rudi at SoftDux.com>

Robert Moskowitz wrote:
> Rudi Ahlers wrote:
>> lucian at lastdot.org wrote:
>>> On Tue, 22 Jul 2008 16:34:54 +0200
>>> Rudi Ahlers <Rudi at SoftDux.com> wrote:
>>>> Bowie Bailey wrote:
>>>>> Bo Lynch wrote:
>>>>>> just wanted to get some feedback from the community. Over the last
>>>>>> few days I have noticed my web server and email box have attempted
>>>>>> to ssh'd to using weird names like admin,appuser,nobody,etc....
>>>>>> None of these are valid users. I know that I can block sshd all
>>>>>> together with iptables but that will not work for us. I did a
>>>>>> little research on google and found programs like sshguard and
>>>>>> sshdfilter. Just wanted to know if anyone had any experience with
>>>>>> anything like these programs or have any other advice. I really
>>>>>> appreciate it. 
>>>>> The simplest thing is to change the port. I know it's "security
>>>>> through obscurity", but it works well and can be used along with
>>>>> whatever other security enhancements you care to use.
>>>> By changing the ports on all our servers to a high (above 1024) port,
>>>> we have eliminated SSH scans altogether - been running like that for
>>>> a few years now without any problems.
>>>> I also add a small script in /etc/profile to email me when someone
>>>> logs in via SSH, since only a few privileged ppl should use SSH
>>>> altogether
>>> Interesting idea with this script thing. Can you provide more 
>>> details or
>>> the script?
>>> _______________________________________________
>> Yea, it's simple :)
>> echo 'SSH (localhost.localdomain) on:' `date` `who` | mail -s "Alert: 
>> Access from `who | cut -d"(" -f2 | cut -d")" -f1`" xxxxx at yyy.com
> OK. A chance to learn some more for me.
> Is there a 'best' placement for this script in /etc/profile? Is 
> localhost.localdomain a placeholder here for foo.bar.com?
> _______________________________________________
I put stuff like that right at the end, and localhost.localdomain is 
basically the server's name, from where I copied this script, so replace 
that with my.linux.server.com - or whatever


Kind Regards
Rudi Ahlers

Check out my technical blog, http://blog.softdux.com for Linux or other technical stuff