Jeff Vian wrote: >On Mon, 2005-10-24 at 09:49 +0000, Stephanus Fengler wrote: > > >>Dear list readers, >> >>I know that this is not a security list but it seems a good starting >>point for me as an ordinary user to ask whether someone can point me in >>the right direction. >> >>I recently checked my log files of my ssh service (so far as I >>understand this is my only service open) and realized that from the very >>same IP I got a lot of request trying to guess a user name on my system, >>I assume. Since login name always changes in even chronological >>alphabetical order. >> >>So shell I worry about it or do I need to do some countermeasures? >> >>Request look like: >>Oct 23 10:49:42 ********* sshd[15806]: Failed password for root from >>81.208.32.170 port 1354 ssh2 >> >> > >As you have already realized, it is generally not safe to allow ssh >access for root. In fact, Fedora by default does not allow root to have >ssh access. > >I recently set up a nifty utility on an FC4 server called sshdfilter. >It allows at most 3 guesses of a password for a valid user before >blocking, and only one try with an invalid name or without the ssh id. >It does require that you have iptables running to do its job. > >I got the tool and instructions here. >http://www.csc.liv.ac.uk/~greg/sshdfilter/ >It was extremely easy to set up using the instructions for FC3 with >slight modifications for FC4 and seems to work well. > >Since installing it I have gotten an average of 4 - 5 hits a day from >the script kiddies, as compared to at times over 1000 per day before the >filter was installed. > >Since I also run an ftp server I am considering a similar approach to >blocking hacking attempts there as well. > > > > >>If someone can point me in the right direction what to do and what >>certainly not to do I would be thankful. >> >> >> I found that making sshd on an internet facing machine only accept keys is more secure. You can turn off password auth in /etc/ssh/sshd_conf with a "PassswordAuthentication no" line. However, the attempts at your system are not thwarted. There are a few methods but the one that sounds cool and I followed on the IPTables list is here: https://lists.netfilter.org/pipermail/netfilter/2005-June/060914.html HTH
