Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
This morning my BSD box emailed regular security output which contained the following:
Nov 16 15:42:01 server1 sshd: error: PAM: authentication error for illegal user admin from 18.104.22.168
Nov 16 15:42:01 server1 sshd: Failed keyboard-interactive/pam for invalid user admin from 22.214.171.124 port 53806 ssh2
Nov 16 16:35:10 server1 sshd: error: PAM: authentication error for illegal user admin from 213-163-19-158.pool.invitel.hu
Nov 16 16:35:10 server1 sshd: Failed keyboard-interactive/pam for invalid user admin from 126.96.36.199 port 25034 ssh2
Nov 16 17:28:02 server1 sshd: error: PAM: authentication error for illegal user admin from 188.8.131.52
Nov 16 17:28:02 server1 sshd: Failed keyboard-interactive/pam for invalid user admin from 184.108.40.206 port 4584 ssh2
Nov 16 18:22:12 server1 sshd: error: PAM: authentication error for illegal user admin from 220.127.116.11
Nov 16 18:22:12 server1 sshd: Failed keyboard-interactive/pam for invalid user admin from 18.104.22.168 port 7735 ssh2
The log goes on and on until the end of that day so I will get more today probably.
Any known way of preventing this 'password matching'? I can't obviously block the IPs in the firewall as there are many and all probably anonymous proxies so what are my options? Obviously I don't want to block port 22 as I use SSH every now and then.
One way is to limit the number of consecutive login attempts and temporarily ban the source IPs. I used tcp wrappers do this, following directions from Samhain Labs. You will find plenty of useful information, here.
I also stand for denyhosts in general for brute force script attacks.
You may also consider changing the default 22 port to sth else as written above, since most of the attacking scripts relay on that port. Of course it will not eliminate the risk of breaking in but it'll greatly reduce the number of brake in attempts.
Port knocking is also a good technique, but in my opinion is applicable only for systems with not many shell users.
Changing the default sshd options will also do the trick. For example you may want to set shorter LoginGraceTimeout (default 120s) or MaxStartups(10) MaxAuthTries etc, and of course disable root login(!) which should be default.
Last edited by kapal; 11-19-2008 at 05:27 AM.
If you are the only user who logs in via ssh, you can also add the line "AllowUsers <yourusername>". This will deny all other users from logging in. You can do this in addition to using public key encryption. Doing this will deny system login attempts, which are common targets.
Also, protect your private key (on your client) with a passphrase. Changing the port from 22, while in itself won't do much for a determined cracker, will reduce the "noise" from script kiddie brute force attacks.