illegal user root user failed login attempts
Ed Stover
estover at nativenerds.com
Thu May 19 02:35:07 PDT 2005
Emanuel Strobl wrote:
> Am Mittwoch, 18. Mai 2005 22:56 schrieb Kirk Strauser:
>
>>On Tuesday 17 May 2005 09:36, Peter Kropholler wrote:
>>
>>>As things stand, ssh is designed so you can't get at people's
>>>passwords and I am leaving it alone. Focussing instead on the task of
>>>making sure my passwords are strong, limiting AllowUsers to specific
>>>users and trusted ip addresses, and moving ssh off port 22.
>>
>>Alternatively, scrap all that and force RSA authentication after
>>disabling password login. I could give you my root password (and even
>>my personal password) and there isn't jack you can do with it because no
>>services authenticate off it; it's only useful for logging in locally.
>
>
> IMHO that's the only way to cope with these crappy hacked boxes.
> Additionally that was the original idea of SSH as far as I know.
> Maybe time to think about disabling ChallangeResponseAtuh
> in /etc/ssh/sshd_conf by default in FreeBSD?
>
> -Harry
There is a wealth of things that we can do to for protection:
1:(mentioned earlier) move ssh off port 22
2:use tcp wrappers "/etc/hosts.allow"
3:don't allow users to have a shell or at least restrict the shell (rbash)
4:firewall incoming ssh connections
One of my personal favorite things to do is:
move ssh to port 1001
install portsentry
have portsentry listen to port 22
log, report to abuse, and repeat
you could even finger the machine that is trying to connect. It will
tell you who was logged onto it when the incident happened.
More information about the freebsd-questions
mailing list