Yes, I think somebody has written some scripts out there that look for certain usernames on SSH port
22, cause it will be coming from different IP's but looking for the same usernames. Well at least I saw
this on a friends box, til we secured his box using my procedure. Then they all went away. This is
what they see now.
Example:
$ ssh localhost
ssh: connect to host localhost port 22: Connection refused
$
Now they just hit port 22 once and move on to less secure machines...
You can get to my SSH hardening procedure by following this thread:
http://www.linuxquestions.org/questi...25#post1699125
Otherwise, you can deny them through the hosts.deny file, but do it in such a way that you only
deny them SSH access to the machine. This way you also won't deny access to legitimate users.
Example:
sshd: 192.168.0.5 : DENY (Note: Ignore the space between : and DENY)*
Someone trying to connect from that IP will now get a short pause, and then see this:
$ ssh <hostname>
ssh_exchange_identification: Connection closed by remote host
$
Someone trying to connect from 192.168.0.6 could still connect.
You can also deny entire subnets, like this.
Example:
sshd: 192.168.0. : DENY (Note: Ignore the space between : and DENY)*
Just make sure that you always have a blank line as the last line in the file (in some cases it
may fail if you don't). See the note about; newline characters at the end of the line, in the
HOSTS_ACCESS man pages. See also HOSTS_OPTIONS for even more tips...
You could also reverse this if you only needed to be able to SSH in from one box. So, instead
of editing the /etc/hosts.deny file, edit the /etc/hosts.allow file and use this sequence:
Example:
sshd: 192.168.0.10 :ALLOW
Now, only the .10 address can connect, all others will be denied. Use this carefully though,
cause if you are out on the road one day you may not be able to connect remotely unless
you had added the IP of the remote box prior to leaving the house...
Example:
sshd: 192.168.0.10 XXX.XXX.XXX.XXX :ALLOW
Where XXX.XXX.XXX.XXX is the ip of the remote box you want to allow to connect.
/Les
* I had to add a space between : and DENY otherwise the : and D together give me a
smiley face like this