On Mon, 2005-10-24 at 09:49 +0000, Stephanus Fengler wrote: > Dear list readers, > > I know that this is not a security list but it seems a good starting > point for me as an ordinary user to ask whether someone can point me in > the right direction. > > I recently checked my log files of my ssh service (so far as I > understand this is my only service open) and realized that from the very > same IP I got a lot of request trying to guess a user name on my system, > I assume. Since login name always changes in even chronological > alphabetical order. > > So shell I worry about it or do I need to do some countermeasures? > > Request look like: > Oct 23 10:49:42 ********* sshd[15806]: Failed password for root from > 81.208.32.170 port 1354 ssh2 As you have already realized, it is generally not safe to allow ssh access for root. In fact, Fedora by default does not allow root to have ssh access. I recently set up a nifty utility on an FC4 server called sshdfilter. It allows at most 3 guesses of a password for a valid user before blocking, and only one try with an invalid name or without the ssh id. It does require that you have iptables running to do its job. I got the tool and instructions here. http://www.csc.liv.ac.uk/~greg/sshdfilter/ It was extremely easy to set up using the instructions for FC3 with slight modifications for FC4 and seems to work well. Since installing it I have gotten an average of 4 - 5 hits a day from the script kiddies, as compared to at times over 1000 per day before the filter was installed. Since I also run an ftp server I am considering a similar approach to blocking hacking attempts there as well. > If someone can point me in the right direction what to do and what > certainly not to do I would be thankful. > > Thanks, > fengler >
