Everyday i get huge log file of some idiots trying to use random SSH username/password login on my server & probably a DoS attack. I have clients located in US who SFTP to my srever to download files.

I have setup SSH the following way:

1) chrooted SFTP login only
2) Allow authorized users only with " ALlowUsers" keyword in /etc/ssh/sshd_config
3) No root login
4) Protocol 2 only
5) Listen on 0.0.0.0

I only have to allow connection from outside to my SSH port 22 in my iptables other all other NEW connections are DROP in my firewall.

How do stop this. change port 22 to another port?

here is part of my log. Most of the source IP's are from China:

Unfortunately the world is full of idiots.... just watch the news every day....

The best that you can do is monitor and start blocking the culprit IPs

Also read up on rate limiting... check a site like http://www.debian-administration.org/articles/187 ....

Good luck

Will your legitimate clients agree to using keys to login with instead of username/passwords? That's how we're set up here. All username/password attempts fail, only users who've got their public key in ~/.ssh on the ssh server can get in.

I just setup my own server in this way and I'm very happy with it! I finally feel at least somewhat safe running SSH. I also moved the service to an obscure port.

You can also look at setting up some rules through iptables to limit the amount of new connections to the port you are now running on if you have the `recent` module built into the kernel. just type at the prompt:

modprobe ipt_recent

If you don't get an error, you have the module installed, you can start limiting the amount of connections in a certain time period before blocking. The `recent` module creates a list and adds ip-addresses to the list, after the time limit specified has expired the ip-address can connect again. some example rules would look like this:

# $IPTABLES -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -m recent --name sshprobe --set -j ACCEPT
# $IPTABLES -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -m recent --name sshprobe --update --seconds 60 --hitcount 3 -j DENY

hey kool learned nice tricks here thnks. currently i have changed my port to someting else now i will try above tricks

this site rox n linux rox

amazing knowledge thnxa ton

You can change ssh to another port quite easily and it does stop the attacks but a better solution would be something like http://denyhosts.sourceforge.net/

^^ thats an excellent utility thnx

Something to consider also, the log indicates a few ip addresses. Thes attackers are most likely using an automated brute force program. A way to defeat it is to listen on a different port than 22. I changed my defaul SSH port to another lesser known port and the attacks you're seeing have gone away.

The programs that scan are wanting to get the "low hanging fruit" so to speak. They are going after defaults and looking for ssh v1 etc.. By changing the port you can save yourself the headache of the idiots.

G'luck