repeated ssh login attempts/failure/break-in attempts from
pauls at utdallas.edu
Fri Mar 31 15:54:00 UTC 2006
--On Friday, March 31, 2006 08:42:30 -0500 Nathan Vidican
<nvidican at wmptl.com> wrote:
> Noted recently in auth.log, a string of connection attempts
> repeated/failed over and over from one host - looks like a script
> someone's running, tries all kinds of various usernames, etc... attempts
> like 100-200 logins, fails and goes away.
> Few hours go by, and another such attempt, from a different IP comes in.
> If I'm here and just happen to notice them - simple ipfw add deny... does
> the trick, but is there not a way to limit the login attempts for a
> certain period of time?
Others have offered various solutions, but I think it's worth saying - when
you connect to the internet, regardless of what OS or hardware you're
running, you're going to be attacked 24/7. That's the nature of the
internet. There's not a damn thing you can do about that. If you have the
option of moving services to odd ports, then that provides an easy
solution. Many people don't have that option.
However, by moving ssh to a different port, you aren't eliminating the
problem - merely your knowledge of it. The attacks are still taking place.
The service is no longer listening there. These attacks should be a
warning to you. ALL the services on your box are being attacked 24/7.
There are no exceptions.
What can you do?
Keep your box patched ALWAYS. OS is irrelevant. They ALL get broken into.
(You name the OS - I've seen one hacked - RedHat, Debian, Slackware,
Solaris, Mac OS X, it doesn't matter.)
NEVER run ANY unnecessary services. I haven't enabled inetd in so long I
don't remember what's in it, but it's amazing how many boxes are still
running chargen, rpc.statd and a host of other services that are completely
unnecessary (not to mention that few even know what they do anymore.)
Restrict access to only those who should have access - by service and by
NEVER share your password with anyone, and use passwords that contain all
four types of characters; lower case and upper case alpha, numeric and
special. An eight character random alpha password can be cracked in less
than an hour on a modern computer, so encryption is not enough.
Don't run inherently insecurely designed daemons. The first thing I do on
every FreeBSD box I set up is disable sendmail and install postfix.
Run portaudit. Then you'll know about vulnerabilities immediately, and you
can portupgrade to fix the problem.
Run a firewall, if you can. Incoming should be blocked by default except
for allowed services.
Being secure and staying secure is your responsibility.
Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
More information about the freebsd-questions