Michael A. Peters wrote:
On Mon, 2005-10-24 at 09:49 +0000, Stephanus Fengler wrote:
Dear list readers,
I know that this is not a security list but it seems a good starting
point for me as an ordinary user to ask whether someone can point me in
the right direction.
I recently checked my log files of my ssh service (so far as I
understand this is my only service open) and realized that from the very
same IP I got a lot of request trying to guess a user name on my system,
I assume. Since login name always changes in even chronological
alphabetical order.
So shell I worry about it or do I need to do some countermeasures?
1) Make sure root login via ssh is disabled
It's not by default.
in /etc/sshd_config
there will be a line that reads
PermitRootLogin yes
change the yes to no and then restart the sshd daemon
2) Turn it off all together if you don't need it
3) Make sure all of your password are sane.
-=-
These random attacks are pretty common - they sniff networks for open
ssh ports, and when they find one - they try root with a bunch of
passwords, and then common user names with a bunch of passwords.
It's not really something to worry about - if you have root login
disabled, any attempts to ssh in as root will fail - and they only get
in if they happen to guess a user name AND a password. That's not likely
to happen if you have good passwords on your system (ie a meaningless
combination of letters, numbers, and other characters at least 10
characters long)
-=-
If you only ssh in from specific hosts, you can limit ssh access to
those hosts only - or you can use a pass key - where the connection is
not done with passwords at all, but done with a pass phrase only - which
requires a key on the connecting machine that has been signed by your
private key.
Thanks Mr. Peters,
I changed sshd_config and restarted the daemon... root@localhost denies
now which is fine and also I thought it is disabled by default which it
wasn't. Since I am the only user of the machine and know all account
passwords I can say that they are secure and long enough.
I read also the answers from Tom Yates and Boris Glawe. I am not sure
yet how I have to setup these iptables mentioned on Tom's page
http://www.teaparty.net/technotes/ssh-rate-limiting.html but I start
looking into it.
Up to now I was only running the standard configuration of fc firewall
which can be set with /usr/bin/system-config-securitylevel with the only
trusted service ssh.
Thanks for your answers,
fengler
