[121890] in North American Network Operators' Group
Re: SSH brute force China and Linux: best practices
daemon@ATHENA.MIT.EDU (Peter Beckman)
Sat Jan 30 14:55:43 2010
Date: Sat, 30 Jan 2010 14:55:19 -0500
From: Peter Beckman <beckman@angryox.com>
To: Bazy <bazy84@gmail.com>
In-Reply-To: <6c2184ab1001300222q37847365g81d6e5f8a9dbac73@mail.gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
--0-1237473685-1264881319=:43606
Content-Type: TEXT/PLAIN; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
On Sat, 30 Jan 2010, Bazy wrote:
> On Sat, Jan 30, 2010 at 6:47 AM, Bobby Mac <bobbyjim@gmail.com> wrote:
>=20
>> So after many years of a hiatus from Linux, =C2=A0I recently dropped X=
P in favour
>> of Fedora. =C2=A0Now that my happy windows blinders are off, I see ala=
rming
>> things. =C2=A0Ugly ssh brute force, DNS server IP spoofing with scans =
and typical
>> script kiddie tactics.
>
> Take a look at http://www.fail2ban.org and
> http://denyhosts.sourceforge.net. I'm not Chinese but I'm sure that
> brute-force attacks come from all over the world. Here's a little from
> my logwatch.
For securing ssh, better than either of those is sshguard. fail2ban is=
a
Python script, as is denyhosts. Script-based services are fine, but
native compiled code is better, lower memory, less overhead.
sshguard is better because it's written in C, can read multiple log
formats, can block for many popular services (dovecot, ftp daemons, eve=
n
an imap daemon) and it works with many popular existing firewalls: pf,
netfilter, iptables, ipfw, ipfilter, tcpd, even IBM's AIX firewall.
http://www.sshguard.net/
I've run it for 3 years now, solid as a rock. Questions are quickly
answered in the mailing lists by the lead developer Mij.
Additionally, you may want to consider using SSH Key Authorization only=
,
and disable password authentication. This guarantees that brute force
attacks will fail, because they only use username + Password (AFAICT), =
not
random private keys.
Here is a good article on how to enable Key-based auth (may already be
enabled), as well as how to turn Password Auth off in ssh to
protect/eliminate ssh brute force successes.
http://www.debuntu.org/ssh-key-based-authentication
Beckman
-------------------------------------------------------------------------=
--
Peter Beckman Internet G=
uy
beckman@angryox.com http://www.angryox.co=
m/
-------------------------------------------------------------------------=
--
--0-1237473685-1264881319=:43606--
