System Intrustion Detection

Ean Kingston ean at istop.com
Tue May 9 15:25:14 UTC 2006 

M,

There are several choices you can make to deal with this. 

First, be sure your root password is 'strong'. Generally 'strong' means
that it is a combination of upper case, lower case, and numbers with a
decent lenght. I personally go with at least 12 characters and throw in
some punctuation as well. Also, don't use real words.

Second, configure your ssh daemon to only support public key
authentication (PubkeyAuthentication, RSAAuthentication). This means
every user need to have a public/private key pair. One part stays on the
server, the other goes to the remote system and is used to authenticate
with the server. This also makes the password attacks you are seeing
pretty useless.

Third, if your users are all coming in from a relatively small list of
IP addresses, you can consider using tcpwrappers (which should have been
built in to your sshd daemon). This allows you to configure the sshd
daemon to only allow access from a restricted set of ip addresses (or
block a specific set of addresses). This method will also stop those
messages from appearing in your mail once it is set up properly.

I use all three techniques. Unfortunately, I have found that I have to
pretty much exclude large parts of the world from accessing my ssh
server for the third option to be effective and it is getting worse. I
used to have to block only a hand full of countries but I'm now seeing
attempts from several continents.

"M. Goodell" <freebsdutah at yahoo.com> said:

> More and more each day I am seeing my root emails contain hundreds of
entries like this:
>    
>   May  8 02:23:35 warpstone sshd[26092]: Failed password for root from
222.185.245.208 port 50519 ssh2
> May  8 16:37:41 warpstone ftpd[34713]: FTP LOGIN FAILED FROM
211.44.250.152, Administrator
>    
>   Basically, people are attemtpting to hack into my server often with
a few thousands of attempts each day. What measures can I take to stop
these attempts? Is there a way I can detect these attacks and
automatically cut them off? Are any of the security ports effective
against this?
>    
>   Thank you!
>    
>   M Goodell




--

More information about the freebsd-questions mailing list