[SOLVED] Server receiving a lot of brute force SSH attacks
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a CentOS server running SSHd, I monitor the /var/log/secure logfile which is showing a lot of brute force activity on my SSHd.
Is there any way I can see the passwords that the attackers are trying? It would be interesting to see.
The server is configured so that the root user cannot login directly by SSH. There is only one user allowed which is a non standard, non generic username with a strong password.
Is it possible to see if anyone has used the correct password for the root user - or any other user, but was denied access because of the user filter?
At the moment I am manually blocking each offensive IP Address at the kernel level using iptables, which is getting a bit tedious after a while.
Is it worth moving my SSHd to a different port? I imagine this would prevent most of the attacks unless someone executed a port scan to reveal the new port.
I understand I can configure iptables to only accept a list of predefined IP Addresses but this isn't ideal for my circumstances, so is a last resort.
I have a CentOS server running SSHd, I monitor the /var/log/secure logfile which is showing a lot of brute force activity on my SSHd.
I noticed a huge uptick in distributed brute force sshd attacks starting about a week ago -- on one of my VPS hosts, anyway.
Quote:
Originally Posted by the182guy
Is there any way I can see the passwords that the attackers are trying? It would be interesting to see.
I'm not sure, but you might experiment with some of the chattier sshd debug levels on a test system. (You don't want to turn this on for a system that is getting hammered with access attempts.)
Quote:
Originally Posted by the182guy
The server is configured so that the root user cannot login directly by SSH. There is only one user allowed which is a non standard, non generic username with a strong password.
Good. Don't sweat it then.
Quote:
Originally Posted by the182guy
Is it possible to see if anyone has used the correct password for the root user - or any other user, but was denied access because of the user filter?
Maybe not. If you have PermitRootLogin no in place, logging just indicates that root authentication failed. If you have AllowUsers foo in place, logging indicates that root was not found as an allowed user.
Quote:
Originally Posted by the182guy
At the moment I am manually blocking each offensive IP Address at the kernel level using iptables, which is getting a bit tedious after a while.
I wrote a "web knocking" (variation of port knocking) application that you might be interested in checking out. I have it in place on one production FreeBSD host and one Fedora host.
Most of these attacks are from script kiddies
You can change the port, to avoid these attacks
Also you can use fail2ban or iptables to block the IP for x minutes, after x wrong attempts.
Distribution: Ubuntu based stuff for the most part
Posts: 1,173
Rep:
When I noticed this problem I installed DenyHosts which will auto block an IP after 5 failed login attempts. You can also enable the distributed mode so it will download know offending IP's and upload new ones you discover.
Of course this does slow down the ssh login as your IP is scaned, so be prepared for that.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Each IP only tries 1 - 4 times.
