On Mon, 2005-10-24 at 08:15, Steven Stern wrote: > Stephanus Fengler wrote: > ris > >> > > Hi Boris > > Since I need the ssh service, I can't disable it. Actually counting the > > number of root pw attacks it was 540 within 28 mins after then he > > switched over to pw guessing for random usernames for another 500 times > > and 25 mins. Anyway nslookup gives: > > > > nslookup 81.208.32.170 > > Server: 134.60.1.111 > > > [snip] > > > > > I actually don't know what to do with this output. > > and btw just using the ip in a webbrowser it comes up with a page from > > IBM ?!? ... wired... > > > I modified the sshd_config file so SSH uses a port other than 22. In > /etc/ssh/sshd_config, add > > port 2122 > > To connect to the machine, you'd use > > ssh -p 2122 hostname Changing the port ssh uses should eliminate most of the script kiddie attacks. Changing the port will hide your system from a casual scan. If someone targets your specific system they will still find the ssh port so you should implement some of the other measures already mentioned. In addition to the other excellent advice you can restrict ssh access to specific user accounts. This allows you to have fine grained control over which users are even allowed to use ssh. Using public key authentication is even better. And if you decide to look into an active response system be very careful. They can be manipulated to block your access to your own system if you are not careful. IMHO using secure passwords, limiting the users that can use ssh, public key authentication, changing the port used, and verifying that you are using good passwords are simpler and easier to administer and provide enough security to get the attacker to move on to another system.
