I was just checking some of my admin logs on my Redhat 9 server and I noticed that it looks like multiple people have been trying dictionary type attacks via ssh. It's kind of unnerving. I was wondering if anyone knows a way of stopping this?

Thanks for any help.

Sure, but that depends on your situation.

1. If your regular customers log on from the same networks consistently, filter unwanted login attempts with netfilter and/or tcp_wrappers. Problem solved.

2. If your regular customers log on from the same machines consistently, enable pubkey authentication and disable all other authentication. Problem solved.

I recommend #1 or #2, or both.

3. If you can't do #1 or #2, move sshd to listen on a different port (e.g. 123). This is a sucky security measure, though, and will only stop the script kiddies.

4. If you can't do #1, #2, or #3, then make sure your users have strong passwords. You can enforce this with John or some such.

You might create a group for users who are authorized to use ssh, and use that group name in the /etc/ssh/sshd_conf configuration file. This should disallow all other users and groups. You may want to check the man sshd_conf manpages to double check. If you have the users in AllowUsers instead that would be fine also. AllowUsers trumps AllowGroups. If you want to use AllowGroups instead of AllowUsers, make sure that AllowUsers is commented out, because a user not listed AllowUsers will be denied access even if they are a member of a group in AllowGroups.

This is a suggestion for another layer of security rather than a replacement for the previous suggestions.

also consider installing denyhosts

Or ... blockhosts


Cheers,
Tink