[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSH Attacks - What to do?



Freshmeat has an inital project release today that may help address this 
problem:

BanFromLog is a shell script that examines your /var/log/auth.log and 
searches for the IP addresses of login attempts which use non-existent 
user names. It is configured for use with sqlite or MySQL.


SILUG25 wrote:

>On Sat, 30 Jul 2005 20:17:49 -0500, Steven Pritchard wrote
>  
>
>>On Wed, Jul 27, 2005 at 03:19:21PM -0500, Tim McDonough wrote:
>>    
>>
>>>In reviewing the logs on my Linux server I see that for today and much 
>>>of yesterday someone has a machine set up that's trying to log in 
>>>every few seconds via SSH. They have had no success so far. Here's a 
>>>snippet of the message log, the file is huge with these things. (The 
>>>last two entries are me doing legitimate work.)
>>>      
>>>
>>[...]
>>
>>I just noticed something like 55k failed login attempts on one of my
>>few systems that has sshd open to the world.  Unfortunately, I can't
>>cut off access to that system, and it would be somewhat painful to
>>disallow password authentication in general.  There seems to be
>>another alternative though:
>>
>>  PermitRootLogin without-password
>>
>>Despite how it sounds, that appears to disable password authentication
>>for root, but nobody else.
>>
>>Steve
>>    
>>
>
>In /etc/ssh/sshd_config, I use the "AllowUsers" option, like this:
>
>     AllowUsers fred, barney, wilma, betty
>
>Note that root isn't one of them.  If I need to be root, I log in as "fred" and
>either use "sudo" or do an "su -".
>
>I do want to try the "PermitRootLogin" thing shown above, although I agree that it
>appears to be a bit misleading.  8-)
>
>Charlie
>
>-
>To unsubscribe, send email to majordomo@luci.org with
>"unsubscribe luci-discuss" in the body.
>  
>



-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.