Server receiving a lot of brute force SSH attacks
Hi all,
I have a CentOS server running SSHd, I monitor the /var/log/secure logfile which is showing a lot of brute force activity on my SSHd. Is there any way I can see the passwords that the attackers are trying? It would be interesting to see. The server is configured so that the root user cannot login directly by SSH. There is only one user allowed which is a non standard, non generic username with a strong password. Is it possible to see if anyone has used the correct password for the root user - or any other user, but was denied access because of the user filter? At the moment I am manually blocking each offensive IP Address at the kernel level using iptables, which is getting a bit tedious after a while. Is it worth moving my SSHd to a different port? I imagine this would prevent most of the attacks unless someone executed a port scan to reveal the new port. I understand I can configure iptables to only accept a list of predefined IP Addresses but this isn't ideal for my circumstances, so is a last resort. Thanks in advance. |
Quote:
Quote:
Quote:
Quote:
Quote:
TIP: implement web knocking to protect your sshd service Quote:
|
Most of these attacks are from script kiddies
You can change the port, to avoid these attacks Also you can use fail2ban or iptables to block the IP for x minutes, after x wrong attempts. |
@repo: Nice idea about "rate/attempt limiting", but that trick doesn't work in a distributed attack. ;) Each IP only tries 1 - 4 times.
|
When I noticed this problem I installed DenyHosts which will auto block an IP after 5 failed login attempts. You can also enable the distributed mode so it will download know offending IP's and upload new ones you discover.
Of course this does slow down the ssh login as your IP is scaned, so be prepared for that. http://denyhosts.sourceforge.net/ |
For a listing and discussion of common SSH protection measures see http://www.linuxquestions.org/questi...tempts-340366/.
|
Thanks for the info all, that helps a lot.
|
All times are GMT -5. The time now is 11:42 AM. |