Server receiving a lot of brute force SSH attacks
 

Hi all,

I have a CentOS server running SSHd, I monitor the /var/log/secure logfile which is showing a lot of brute force activity on my SSHd.

Is there any way I can see the passwords that the attackers are trying? It would be interesting to see.

The server is configured so that the root user cannot login directly by SSH. There is only one user allowed which is a non standard, non generic username with a strong password.

Is it possible to see if anyone has used the correct password for the root user - or any other user, but was denied access because of the user filter?

At the moment I am manually blocking each offensive IP Address at the kernel level using iptables, which is getting a bit tedious after a while.

Is it worth moving my SSHd to a different port? I imagine this would prevent most of the attacks unless someone executed a port scan to reveal the new port.

I understand I can configure iptables to only accept a list of predefined IP Addresses but this isn't ideal for my circumstances, so is a last resort.

Thanks in advance.

I noticed a huge uptick in distributed brute force sshd attacks starting about a week ago -- on one of my VPS hosts, anyway.

I'm not sure, but you might experiment with some of the chattier sshd debug levels on a test system. (You don't want to turn this on for a system that is getting hammered with access attempts.)

Good. Don't sweat it then.

Maybe not. If you have PermitRootLogin no in place, logging just indicates that root authentication failed. If you have AllowUsers foo in place, logging indicates that root was not found as an allowed user.

I wrote a "web knocking" (variation of port knocking) application that you might be interested in checking out. I have it in place on one production FreeBSD host and one Fedora host.

TIP: implement web knocking to protect your sshd service

IMO, nope. Just learn to deal with the log noise.

Most of these attacks are from script kiddies
You can change the port, to avoid these attacks
Also you can use fail2ban or iptables to block the IP for x minutes, after x wrong attempts.

@repo: Nice idea about "rate/attempt limiting", but that trick doesn't work in a distributed attack. ;) Each IP only tries 1 - 4 times.

When I noticed this problem I installed DenyHosts which will auto block an IP after 5 failed login attempts. You can also enable the distributed mode so it will download know offending IP's and upload new ones you discover.

Of course this does slow down the ssh login as your IP is scaned, so be prepared for that.

http://denyhosts.sourceforge.net/

For a listing and discussion of common SSH protection measures see http://www.linuxquestions.org/questi...tempts-340366/.

Thanks for the info all, that helps a lot.