On Wed, May 04, 2005 at 04:01:18PM -1000, Chris Stark wrote: > On Wednesday 04 May 2005 3:47 pm, Jeff Vian wrote: > > On Wed, 2005-05-04 at 18:23 -0700, Daniel B. Thurman wrote: > > > Folks, > > > > > > Seems that I am getting daily brute-force ssl attacks -- > > > Anything I can or should do? > > > > > > Here is the System Logs: > > > ======================================= > > > May 4 01:01:50 linux sshd[10438]: Did not receive identification string > > > from ::ffff:194.65.138.98 May 4 01:04:44 linux sshd[10448]: Illegal user > > > temp from ::ffff:194.65.138.98 May 4 01:04:57 linux sshd[10448]: Failed > > > password for illegal user temp from ::ffff:194.65.138.98 port 52888 ssh2 > > > I set my firewall to block ssh from everywhere except the few places I > > might use for remote access. It drastically cut down the attempts to > > get in. I now only get hit from one or 2 IPs a day. > > What would you recommend for those of us who need to administer systems from > dynamic IPs? I've got pretty tight restrictions on allowed users/groups plus > no root logins. I haven't gotten broken into, but this sure is irritating. Is > there more that can be done (reasonably)? Set up a "port knocking" scheme combined with dynamic ssh port re-assignment. Port knocking = you must probe a certain combination of ports in a certain order to get the IP addr. you are coming from to be permitted to connect to the "ssh ports", This combo/order can change dynamically based on time of day, day of week, day of month, etc... Dynamic ssh port re-assignment = The port which ssh uses changes dynamically based on time of day, five minute range, etc.. make sure your watch and the ssh host are in time sync. :-) Most of the folks attacking you are script kiddies. This will shut them down (for now) and reduce the verbiage in your logs. This is somewhat a security by obscurity technique, except for the second reference below. Article on LJ: http://www.linuxjournal.com/article/6811 A strong port knock scheme based on one-time pads: (More convenient and more secure!) http://www.hexi-dump.org/bytes.html Port knocking w/OS fingerprinting: http://it.slashdot.org/it/04/08/01/0436204.shtml -- Jeff Kinz, Emergent Research, Hudson, MA.
