> Open up sshd port only
> setup iptables to only accept port 80 and 22
> No FTP
> No other ports are allowed according to IP Tables.
Where is the box? Am I correct that it runs a website?
What website software are you running?
Who needs to log in with SSH? And where from?
Are the crackers logging in with SSH? Or are they getting in via some
kind of web back door? Maybe because of the website software? Have
you checked with the software to see if there are known holes? Are
you running the latest version?
If only certain people need SSH access and that is how the crackers
are getting in, then you could set up your firewall to only accept SSH
connections from certain IPs. Assuming those who need to get in have
a fixed IP. You could also set up SSH to only accept connections via
keys, and then install the keys on the server for those who need to
get in.
Lots of questions you need to be asking.
What you can also consider is something I do on my box - run tcpdump
continuously, with the options to create round-robin log files. You
just have to make sure you'll have enough space for that. This can
give you TCPIP logs going back X amount of time, so that you can do
forensics with something like Wireshark to see how people are getting
in.
--
“Don't eat anything you've ever seen advertised on TV”
- Michael Pollan, author of "In Defense of Food"