[CentOS] Ideas for stopping ssh brute force attacks

Tue Jul 22 15:17:18 UTC 2008
lucian at lastdot.org <lucian at lastdot.org>

On Tue, 22 Jul 2008 16:34:54 +0200
Rudi Ahlers <Rudi at SoftDux.com> wrote:

> Bowie Bailey wrote:
> > Bo Lynch wrote:
> >   
> >> just wanted to get some feedback from the community. Over the last
> >> few days I have noticed my web server and email box have attempted
> >> to ssh'd to using weird names like admin,appuser,nobody,etc....
> >> None of these are valid users. I know that I can block sshd all
> >> together with iptables but that will not work for us. I did a
> >> little research on google and found programs like sshguard and
> >> sshdfilter. Just wanted to know if anyone had any experience with
> >> anything like these programs or have any other advice. I really
> >> appreciate it. 
> >
> > The simplest thing is to change the port.  I know it's "security
> > through obscurity", but it works well and can be used along with
> > whatever other security enhancements you care to use.
> >
> >   
> By changing the ports on all our servers to a high (above 1024) port,
> we have eliminated SSH scans altogether - been running like that for
> a few years now without any problems.
> 
> I also add a small script in /etc/profile to email me when someone
> logs in via SSH, since only a few privileged ppl should use SSH
> altogether
> 

Interesting idea with this script thing. Can you provide more details or
the script?