stopping ssh hack attempts

I get a daily security e-mail from my web server alerting me to failed login attempts and other security issues and in the past few weeks (months?) I’ve been getting tens if not hundreds of failed attempts to login to my server. At first I thought I could resolve the issue by blocking the IP addresses in /etc/hosts.allow for the SSH server, but the attempts continued unabated.

I looked online for solutions and found a few sites mentioning the problem, but none of them had solutions I liked.

My solution was to first turn off root logins by setting the

PermitRootLogins no

in /etc/ssh/sshd_config. I should have done that a long time ago, but I hadn’t thought of it until now. My second step was to only allow logins from one group. It’s not ultra-secure and I’m sure there are better ways, but that limits the number of users I have to keep track of who have access to my machine, and for now that’s good enough for me.

I found several other links related to this issue which I’ve included here for your perusal.

Unix Girl
Unix Girl 2
Seclists.org
Linode.com
Drinsama.de
Verbum.org
Sans.org
Heal your church

Comments

 (Post a comment) | Comments RSS feed
  1. I was having the same problem not too long ago. I had already locked down the SSH Daemon so it was really just more of an annoyance to see it in my logs. When this first started happening I asked a few people on IRC and we came to the conclusion that it was a highly unsophisticated botnet. I moved the SSH Daemon to another port and haven’t seen anything since. Theoretically, somebody could just do a quick portscan and start attacking again but I don’t think this particular botnet is that smart.

    If you’re looking for up-to-the-minute info on these botnets that have been surfacing, check out http://isc.sans.org/
    They seem to be reporting on this at least once a week.

    Comment by Jeremy Grosser on October 21, 2004 @ 6:07 am
  2. Heh, I already had a link to sans.org (it’s the 2nd to last one in the list at the bottom).

    Comment by dan on October 21, 2004 @ 10:03 am
  3. Here’s a solution to the problem, FWIW

    Comment by Jon on January 21, 2005 @ 4:23 pm

Comments are closed