FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 07-21-2008, 08:43 PM
"Bo Lynch"
 
Default Ideas for stopping ssh brute force attacks

just wanted to get some feedback from the community. Over the last few
days I have noticed my web server and email box have attempted to ssh'd to
using weird names like admin,appuser,nobody,etc.... None of these are
valid users. I know that I can block sshd all together with iptables but
that will not work for us. I did a little research on google and found
programs like sshguard and sshdfilter. Just wanted to know if anyone had
any experience with anything like these programs or have any other advice.
I really appreciate it.

--
Bo Lynch

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-21-2008, 08:56 PM
"Lundgren, Andrew"
 
Default Ideas for stopping ssh brute force attacks

I have been using fail2ban to limit the attacks. It works exactly as they advertise and I am happy with it.

--
Andrew

> -----Original Message-----
> From: centos-bounces@centos.org
> [mailto:centos-bounces@centos.org] On Behalf Of Bo Lynch
> Sent: Monday, July 21, 2008 2:43 PM
> To: centos@centos.org
> Subject: [CentOS] Ideas for stopping ssh brute force attacks
>
> just wanted to get some feedback from the community. Over the last few
> days I have noticed my web server and email box have
> attempted to ssh'd to
> using weird names like admin,appuser,nobody,etc.... None of these are
> valid users. I know that I can block sshd all together with
> iptables but
> that will not work for us. I did a little research on google and found
> programs like sshguard and sshdfilter. Just wanted to know if
> anyone had
> any experience with anything like these programs or have any
> other advice.
> I really appreciate it.
>
> --
> Bo Lynch
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-21-2008, 09:01 PM
"Michael Gabriel"
 
Default Ideas for stopping ssh brute force attacks

easiest way with centos board tools is iptable recent module ...

simply limit the amount of connections a host is allowed to the ssh port

iptables -N SSHSCAN
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN

iptables -A SSHSCAN -m recent --set --name SSH
iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 3 --name SSH -j DROP

limits each host to 3 connections within 5 minutes. enough to make bots stop

and still not too annoying for users that mistype their password 3x3 times

On Mon, Jul 21, 2008 at 10:43 PM, Bo Lynch <blynch@ameliaschools.com> wrote:

just wanted to get some feedback from the community. Over the last few

days I have noticed my web server and email box have attempted to ssh'd to

using weird names like admin,appuser,nobody,etc.... None of these are

valid users. I know that I can block sshd all together with iptables but

that will not work for us. I did a little research on google and found

programs like sshguard and sshdfilter. Just wanted to know if anyone had

any experience with anything like these programs or have any other advice.

I really appreciate it.



--

Bo Lynch



_______________________________________________

CentOS mailing list

CentOS@centos.org

http://lists.centos.org/mailman/listinfo/centos



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-21-2008, 09:04 PM
Max Hetrick
 
Default Ideas for stopping ssh brute force attacks

Bo Lynch wrote:

just wanted to get some feedback from the community. Over the last few
days I have noticed my web server and email box have attempted to ssh'd to
using weird names like admin,appuser,nobody,etc.... None of these are
valid users. I know that I can block sshd all together with iptables but
that will not work for us. I did a little research on google and found
programs like sshguard and sshdfilter. Just wanted to know if anyone had
any experience with anything like these programs or have any other advice.
I really appreciate it.


Perhaps some FAQs on SSH at the CentOS wiki will help you out too.

http://wiki.centos.org/HowTos/Network/SecuringSSH

Regards,
Max

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-21-2008, 09:08 PM
"Lanny Marcus"
 
Default Ideas for stopping ssh brute force attacks

On Mon, Jul 21, 2008 at 3:43 PM, Bo Lynch <blynch@ameliaschools.com> wrote:
> just wanted to get some feedback from the community. Over the last few
> days I have noticed my web server and email box have attempted to ssh'd to
> using weird names like admin,appuser,nobody,etc.... None of these are
> valid users. I know that I can block sshd all together with iptables but
> that will not work for us. I did a little research on google and found
> programs like sshguard and sshdfilter. Just wanted to know if anyone had
> any experience with anything like these programs or have any other advice.
> I really appreciate it.

Possibly begin by not allowing root access. Don't use passwords, use keys.

http://wiki.centos.org/TipsAndTricks/SshTips/SshKeyAuthentication
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-21-2008, 09:11 PM
"Dan Carl"
 
Default Ideas for stopping ssh brute force attacks

> -----Original Message-----
> From: centos-bounces@centos.org [mailto:centos-bounces@centos.org]On
> Behalf Of Bo Lynch
> Sent: Monday, July 21, 2008 3:43 PM
> To: centos@centos.org
> Subject: [CentOS] Ideas for stopping ssh brute force attacks
>
>
> just wanted to get some feedback from the community. Over the last few
> days I have noticed my web server and email box have attempted to ssh'd to
> using weird names like admin,appuser,nobody,etc.... None of these are
> valid users. I know that I can block sshd all together with iptables but
> that will not work for us. I did a little research on google and found
> programs like sshguard and sshdfilter. Just wanted to know if anyone had
> any experience with anything like these programs or have any other advice.
> I really appreciate it.
>
> --
> Bo Lynch
>
Just change the default port.
You can also limit the allowed nocks on door with iptables, but changing the
port is much eaieer.
Cleans up the logs real nice.
Dan



> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-21-2008, 09:16 PM
"Rob Townley"
 
Default Ideas for stopping ssh brute force attacks

On Mon, Jul 21, 2008 at 4:11 PM, Dan Carl <danc@bluestarshows.com> wrote:





> -----Original Message-----

> From: centos-bounces@centos.org [mailto:centos-bounces@centos.org]On

> Behalf Of Bo Lynch

> Sent: Monday, July 21, 2008 3:43 PM

> To: centos@centos.org

> Subject: [CentOS] Ideas for stopping ssh brute force attacks

>

>

> just wanted to get some feedback from the community. Over the last few

> days I have noticed my web server and email box have attempted to ssh'd to

> using weird names like admin,appuser,nobody,etc.... None of these are

> valid users. I know that I can block sshd all together with iptables but

> that will not work for us. I did a little research on google and found

> programs like sshguard and sshdfilter. Just wanted to know if anyone had

> any experience with anything like these programs or have any other advice.

> I really appreciate it.

>

> --

> Bo Lynch

>

Just change the default port.

You can also limit the allowed nocks on door with iptables, but changing the

port is much eaieer.

Cleans up the logs real nice.

Dan







> _______________________________________________

> CentOS mailing list

> CentOS@centos.org

> http://lists.centos.org/mailman/listinfo/centos

>

> --

> This message has been scanned for viruses and

> dangerous content by MailScanner, and is

> believed to be clean.

>

>





--

This message has been scanned for viruses and

dangerous content by MailScanner, and is

believed to be clean.



_______________________________________________

CentOS mailing list

CentOS@centos.org

http://lists.centos.org/mailman/listinfo/centos




PortKnocking - ports appear closed until the correct knock on the ports.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-21-2008, 09:17 PM
Ned Slider
 
Default Ideas for stopping ssh brute force attacks

Bo Lynch wrote:

just wanted to get some feedback from the community. Over the last few
days I have noticed my web server and email box have attempted to ssh'd to
using weird names like admin,appuser,nobody,etc.... None of these are
valid users. I know that I can block sshd all together with iptables but
that will not work for us. I did a little research on google and found
programs like sshguard and sshdfilter. Just wanted to know if anyone had
any experience with anything like these programs or have any other advice.
I really appreciate it.



There's a page on the Wiki with a few suggestions for hardening SSH:

http://wiki.centos.org/HowTos/Network/SecuringSSH

There are a number of measures you can take and employing a few in
combination is always a good idea. Strong passwords are a must as is
disabling root logins. Firewalling and/or key-based authentication with
passwords disabled are great where that is possible. Moving SSH to a
non-standard port will certainly reduce your levels of background noise
but doesn't necessarily make your setup inherently more secure.


My personal opinion is that there is enough there to work with without
having to resort to 3rd party add-ons



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-21-2008, 09:20 PM
"Lanny Marcus"
 
Default Ideas for stopping ssh brute force attacks

On Mon, Jul 21, 2008 at 4:08 PM, Lanny Marcus <lmmailinglists@gmail.com> wrote:
> On Mon, Jul 21, 2008 at 3:43 PM, Bo Lynch <blynch@ameliaschools.com> wrote:
>> just wanted to get some feedback from the community. Over the last few
>> days I have noticed my web server and email box have attempted to ssh'd to
>> using weird names like admin,appuser,nobody,etc.... None of these are
>> valid users. I know that I can block sshd all together with iptables but
>> that will not work for us. I did a little research on google and found
>> programs like sshguard and sshdfilter. Just wanted to know if anyone had
>> any experience with anything like these programs or have any other advice.
>> I really appreciate it.
>
> Possibly begin by not allowing root access. Don't use passwords, use keys.
>
> http://wiki.centos.org/TipsAndTricks/SshTips/SshKeyAuthentication

The above link is mostly dead. The data isn't there yet.

http://wiki.centos.org/TipsAndTricks/BecomingRoot

if you can sudo into your servers, that might help.

Also, use a different port. Many ways to skin a cat.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-21-2008, 09:22 PM
Bowie Bailey
 
Default Ideas for stopping ssh brute force attacks

Bo Lynch wrote:
> just wanted to get some feedback from the community. Over the last few
> days I have noticed my web server and email box have attempted to
> ssh'd to using weird names like admin,appuser,nobody,etc.... None of
> these are valid users. I know that I can block sshd all together with
> iptables but that will not work for us. I did a little research on
> google and found programs like sshguard and sshdfilter. Just wanted
> to know if anyone had any experience with anything like these
> programs or have any other advice. I really appreciate it.

The simplest thing is to change the port. I know it's "security through
obscurity", but it works well and can be used along with whatever other
security enhancements you care to use.

--
Bowie
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 05:52 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org