Re: SSH Attacks - What to do?

["SILUG25" <silug25@bruneworld.com>]

On Sat, 30 Jul 2005 20:17:49 -0500, Steven Pritchard wrote
> On Wed, Jul 27, 2005 at 03:19:21PM -0500, Tim McDonough wrote:
> > In reviewing the logs on my Linux server I see that for today and much 
> > of yesterday someone has a machine set up that's trying to log in 
> > every few seconds via SSH. They have had no success so far. Here's a 
> > snippet of the message log, the file is huge with these things. (The 
> > last two entries are me doing legitimate work.)
> [...]
> 
> I just noticed something like 55k failed login attempts on one of my
> few systems that has sshd open to the world.  Unfortunately, I can't
> cut off access to that system, and it would be somewhat painful to
> disallow password authentication in general.  There seems to be
> another alternative though:
> 
>   PermitRootLogin without-password
> 
> Despite how it sounds, that appears to disable password authentication
> for root, but nobody else.
> 
> Steve

In /etc/ssh/sshd_config, I use the "AllowUsers" option, like this:

     AllowUsers fred, barney, wilma, betty

Note that root isn't one of them.  If I need to be root, I log in as "fred" and
either use "sudo" or do an "su -".

I do want to try the "PermitRootLogin" thing shown above, although I agree that it
appears to be a bit misleading.  8-)

Charlie

-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.