[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SSH Attacks - What to do?
Freshmeat has an inital project release today that may help address this
BanFromLog is a shell script that examines your /var/log/auth.log and
searches for the IP addresses of login attempts which use non-existent
user names. It is configured for use with sqlite or MySQL.
>On Sat, 30 Jul 2005 20:17:49 -0500, Steven Pritchard wrote
>>On Wed, Jul 27, 2005 at 03:19:21PM -0500, Tim McDonough wrote:
>>>In reviewing the logs on my Linux server I see that for today and much
>>>of yesterday someone has a machine set up that's trying to log in
>>>every few seconds via SSH. They have had no success so far. Here's a
>>>snippet of the message log, the file is huge with these things. (The
>>>last two entries are me doing legitimate work.)
>>I just noticed something like 55k failed login attempts on one of my
>>few systems that has sshd open to the world. Unfortunately, I can't
>>cut off access to that system, and it would be somewhat painful to
>>disallow password authentication in general. There seems to be
>>another alternative though:
>> PermitRootLogin without-password
>>Despite how it sounds, that appears to disable password authentication
>>for root, but nobody else.
>In /etc/ssh/sshd_config, I use the "AllowUsers" option, like this:
> AllowUsers fred, barney, wilma, betty
>Note that root isn't one of them. If I need to be root, I log in as "fred" and
>either use "sudo" or do an "su -".
>I do want to try the "PermitRootLogin" thing shown above, although I agree that it
>appears to be a bit misleading. 8-)
>To unsubscribe, send email to email@example.com with
>"unsubscribe luci-discuss" in the body.
To unsubscribe, send email to firstname.lastname@example.org with
"unsubscribe luci-discuss" in the body.