Re: SSH hammering

Top Page
This message is part of the following thread:
M-++\the complete thread tree sorted by date
M\MMMPatrick Fleming, EA at <-
MMMAlan Dayley at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Craig White
Date:  
To: plug-discuss
Subject: Re: SSH hammering
On Thu, 2005-04-28 at 06:33 -0700, Mike Hoy wrote:
> Hi,
>
> i just set up a new server with FC3. after reading george toft's
> presentation on security i thought it would be a good idea. i had gentoo
> installed and probably it was being hacked all the time, i don't know.
>
> today in my new install of FC3 i was told as root that i 'had new
> messages', in /var/spool/mail/root
> so i checked it out
> somebody has been trying to ssh into my acct with all kinds of usernames
> and apparently with no success. i'm told this is called ssh hammering
> and i need to setup iptables. I need to get started on tightening up
> security on this thing. My server runs a website and ssh will need to be
> running.
> my question: (i'm sure more to come)
> I was told I can set ssh up so that root can only access ssh from
> 127.0.0.1. how do i go about doing that.
----
edit /etc/ssh/sshd_config - it should be obvious where the changes
should be made but if not, let us know.
----
> also how can i make my personal
> username have access to /whatever/apache/htdocs/* so I don't have to be
> root to edit things.
----
generally easier to have each user put their web pages in their own
directory

# getent passwd|grep craig
craig:x:500:500:Craig White:/home/craig:/bin/bash

mkdir /home/craig/html
chown craig:dom_users /home/craig/html

edit /etc/httpd/conf/httpd.conf
to serve this directory

note that craig has a valid shell
note that I never use ftp for upload and thus don't turn on ftp at all
but use scp/sftp
note that a serious look at what you are doing with iptables is
important on any computer directly exposed to the internet
note that I generally don't use the standard port 22 for sshd any more
because of the experiences that you are observing but rather moving it
to an unprivileged port (> 1024)

If you want to keep port 22 and sshd active, you might want to look at
some scripts that identify these types of attacks such as...


http://bluedogsecurity.cyberinfo.se/ssh_block/

http://linuxmafia.com/pub/linux/security/sshd_sentry/sshd_sentry

Craig

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: SSH hammeringRe: SSH hammering->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)