Newbie - what to do about huge number attempted ssh logins
Lastb often shows me a huge list of attempted ssh logins.
Such as this excerpt: Code:
admin ssh:notty Sat Sep 11 23:47 - 23:47 (00:00) 184-154-37-12.Huge-DNS.COM I'd like for logwatch not to have to send me such a huge report. I think I can put something in /etc/hosts.deny but I'm sort of lost in the man page. Can you please tell me exactly what line to put in hosts.deny for the example above? (Currently /etc/hosts.deny is empty). And am I right in thinking that would prevent them from getting logged? |
Code:
ALL: 174.37.172.68 You should run DenyHosts or Fail2Ban to do this automatically. |
You can also limit the users (or groups) that can use SSH as well as forcing the use of keys instead of passwords.
If you just want to reduce the clutter in your logs, run your SSH daemon on another port. I have my external SSH on port 443 now because the proxy at one the sites I work at won't allow connections to anything except ports 80, 8080 or 443. A side effect of doing that was since most port scans only check port 22 for SSH I now get no attempts to access my SSH server. Please note, that's just convenience, not extra security :) |
You could also throw a few rules on your firewall to disallow an IP after a certain number of attempts during a specific time period:
Code:
iptables -N AUTOBAN Interestingly, I've found that the number of attempts has dropped precipitously. There is the occasional clown who has tailored their attack so that it evades something like this, but that is rare. By the way, a big thumbs up to folks at Codero. I was getting pestered by one of these slow rollers, complained to them since it was one of their IP addresses, and they actually did something about it. Never had that happen before. |
You could also read the sticky ( fifth thread ) on the LQ "Security Forum" which is titled "Failed SSH login attempts" and has an interesting discussion about how to prevent them becoming annoying.
|
Thanks, everyone. Hangdog42 I'm trying the iptables - seems a lot simpler than trying to install DenyHosts or Fail2Ban (extreme newbie fearful of breaking the server and having to crawl to host Support).
|
Quote:
|
unSpawn this is of course good advice.
I backup the database with mysqldump and tar.gz the public_html every day. The backup files are copied to another server (shared) and also to my PC. I wrote a script to make my backups and scp to other server but so far haven't succeeded in getting it to run as cron job, so I run the script manually every 11:00 PM. No clue how to make a staging server or how to back up anything other than user accounts (via DirectAdmin). I had already read 'Failed SSH Login attemps' as part of extensive googling. It says "Access restriction can be done using iptables or tcp_wrappers (hosts.allow/deny)" so I figure iptables is ok for starters? yum install doesn't find DenyHosts or Fail2Ban so I guess I would download (via rpm?) first and then run yum? Part of my overall hesitation is because my host's techs login as root every so often and I don't want to accidentally block them. I don't know all the names. There is just one of them in /home/ at the moment. Edit: Doing the iptables thing seems to have been remarkably successful so far - no attempts for the last two hours. |
Quote:
Quote:
Quote:
Quote:
Quote:
(@all: any DirectAdmin experts in the house?) Quote:
Quote:
Quote:
* Also it's time you know issues on LQ should be split up wrt their topic. Anything that touches on security remains here, backups, server configuration, distribution-specific issues, et cetera should be split off or see new threads created in their respective forum. |
Thanks again, unSpawn.
I think this is a security thought: I really don't like the way my host logs in as root. This looks as though they log in as root over SSH from some PC. Code:
root pts/8 Mon Sep 13 13:11 - 13:11 (00:00) [UNDISCLOSED_IP_ADDRESS] Nothing I can do about my host, though. |
My iptables blacklisted my own IP!
All straightened out with the aid of hosts's Support. I think it happened because I had four sessions running in 'screen'. I like the iptables thing but I have temporarily removed it with 'iptables -F AUTOBAN'. It was made with Code:
iptables -N AUTOBAN Is there a way to keep iptables from blacklisting me? And, is there a way to un-blacklist an IP? |
I have done further research. Actually I don't believe iptables blacklists? it just drops?
It was DirectAdmin that added my IP to their blacklist. I have put myself in DirectAdmin whitelist. |
Quote:
Code:
iptables -A INPUT - tcp -s XXX.XXX.XXX.XXX -dport 22 -j ACCEPT Quote:
|
Quote:
Quote:
Quote:
* BTW I've cleaned up offending IP addresses and account names. There's no need to disclose that kind of information wrt a Live server. |
Sorry, I don't know what you mean about "SSH'ing to root requires the root account to be enabled. Bad. When you SSH in the first time the connection is encrypted already. "
How would a person log in as root if root wasn't enabled? You've lost me. And are you saying that su root is better than SSH root? Also, not a chance my host will change their ways. Support is good but not real communicative and not generally hand holders. All contact is via problem tickets. |
All times are GMT -5. The time now is 12:23 PM. |