SSH Security
Hello,
I was just watchign my Secuirty Logs, and i've just noticed numerous attempts by some one unknown to me from ip address 221.166.169.102 (which is ping`able and nmap`able by the way) . What action should I take? And shoudl I block this Ip address at the firewall level? On a side note, is it posoible to block root shh logins otuside my network? Thank you. |
disabling root logins via ssh is very recommended, it gives you an additional layer of security...
to do that just make sure that in your /etc/ssh/sshd_config file you have this: PermitRootLogin no good luck... |
See the news thread on ssh login attempts at the top of the forum for more info as well.
|
Restriction and Abuse
Is the machine accepting more than admin logins through SSH? If not, create an admin group and restrict login to that group. Or if it is just you restrict the login to you and you alone.
Also, this type of scanning sucks and should be stopped. Report the abuse to the net-block owner's abuse or technical contact. I typically send the full output from: host whois nslookup dig Have fun.... -james |
It should be reported, but as far as security goes I would not worry too much about them guessing your password.
|
Is it as all possible to get PermitRootLogin no on a host basis? Just from a slightly lazy stand point, would rather not have to su, when i ssh within my private LAN.
I read the thread on SSH login attempts seems like what happened give the fact that it all happened within a minute. But is this something which happens from 0wend/infected machines or from malicious machines? I've already written to the email address I picked up for a whois. But how do I find restrict ssh logins based on group membership? Better yet, any good links on hardening sshd? Thanks.....I'll be sure to post the SSH Login attemps thread to my local LUG |
SSH login attempts
Yes you can restrict per host, the easiest way would be to use webmin which can help you to fine tune your configuration.
- Browse through, "Servers" / "SSH Server" this is where you configure SSH, for your particular needs look for Client Host Options to modify these settings. Resources for SSH: The OpenSSH manual... Putty, is a good SSH client for windows....terminal or tunneling vnc it works great. IBM LPI series, I finally got them all printed up and bound for myself....woohoo I can study! You are looking for the last tutorial... I have been hungrily looking at Secure Shell: The Definitive Guide for years now..... Have fun... -james |
use sudo
Quote:
If you haven't already created a regular account for yourself, you should. Anytime you can work without being root, it's a good idea; we've all typed the command we wish half a second later we had read more carefully. Using sudo, you can give yourself temporary root privileges only when you need them. Then you can deny root login (one of the first things to harden sshd), but you can still become root easily, and if you have users who need privileges for a couple occasionsal tasks, you don't have to give THEM your root password, and you can define and limit what they're allowed to do (in /etc/sudoers). As a side benefit on systems with many users, you still have accountability because users' commands are logged while root's generally aren't. Type Code:
sudo <command> Code:
sudo su - root /etc/sudoers defines who can do what with sudo, so you'll have to add your user account to it. For a bit tighter security, you can add the new user to the group wheel and only allow that group to execute commands using sudo. Just like "su," sudo defaults to root if you don't specify a user but isn't limited to the superuser. You can do Code:
sudo -u <otheruser> <command> Example /etc/sudoers file: Code:
# sudoers file. ------- edit: mindmerge makes a great point mentioning PuTTY. I've never tunneled VNC with it, but it's the best free windows ssh client I've seen, and it comes with pscp, a windows secure copy client that I haven't seen beaten by anything, free or otherwise. |
Re: SSH login attempts
Quote:
|
Quote:
It seems that he has attacked other people as well... I have recently had similar problems and I just changed the ssh configuration file to not allow root logins. Has worked great for me. The inconvenience of having to "su -" is a small price to pay. |
Hey guys, thanks for all the info.
I already knew about sudo, guess I should have said that before. Was just hoping sshd allowed acls based on user, group and connecting host. Thanks for the webmin suggestions, but even in my rookieness, I've been somewhat paranoid, the idea of some web interface somehow altering that many configs just worries me, I think I'll give the man a good read through. Well I've just disallowed rootlogins, alas i shall have to su/sudo. But to side questions: 1) Is there away to be instantly alelrted (have a script run) on a failed ssh login? Right now, I have my server call me when power goes and it switches to UPS. I am hoping for something similar with such hack attempts. 2) Is it possible/advisable to download a list of malicious ips and filter them out at an iptables level? I would hate to get 0wned out of my own igorance. Thanks |
Quote:
http://www.logwatch.org Quote:
|
Re: SSH Security
Quote:
script kiddies, spiders, worms, rootkits, scanners, etc are all part of the internet ecosystem and it's better to be prepared for them FROM ANY IP ADDRESS... of course if some IP has you pinned-down under a non-distributed cyber-attack (DOS, brute-force, etc.), then DROPing that IP would be great in that case... a distributed cyber-attack would be a completely different story, of course... a script that sends tcp/22 requests from certain IPs to DROP for X amount of time after sshd gets a X amount of login failures from that IP would be awesome... anybody know how to do this?? =) |
Well I'll take a look at logwatch very soon.
But based on your (win32sux) last post, I'm guessign that one coudl write up a script usign log watch to do that. |
Just took a quick look at logwatch, but seems like this is a batch process, and not an online, watch type process. I very well may be wrong here.
|
All times are GMT -5. The time now is 02:57 AM. |