SSH brute force China and Linux: best practices

Peter Beckman beckman at angryox.com
Sat Jan 30 13:55:19 CST 2010


On Sat, 30 Jan 2010, Bazy wrote:

> On Sat, Jan 30, 2010 at 6:47 AM, Bobby Mac <bobbyjim at gmail.com> wrote:
> 
>> So after many years of a hiatus from Linux,  I recently dropped XP in favour
>> of Fedora.  Now that my happy windows blinders are off, I see alarming
>> things.  Ugly ssh brute force, DNS server IP spoofing with scans and typical
>> script kiddie tactics.
>
> Take a look at http://www.fail2ban.org and
> http://denyhosts.sourceforge.net. I'm not Chinese but I'm sure that
> brute-force attacks come from all over the world. Here's a little from
> my logwatch.

  For securing ssh, better than either of those is sshguard.  fail2ban is a
  Python script, as is denyhosts.  Script-based services are fine, but
  native compiled code is better, lower memory, less overhead.

  sshguard is better because it's written in C, can read multiple log
  formats, can block for many popular services (dovecot, ftp daemons, even
  an imap daemon) and it works with many popular existing firewalls: pf,
  netfilter, iptables, ipfw, ipfilter, tcpd, even IBM's AIX firewall.

     http://www.sshguard.net/

  I've run it for 3 years now, solid as a rock.  Questions are quickly
  answered in the mailing lists by the lead developer Mij.

  Additionally, you may want to consider using SSH Key Authorization only,
  and disable password authentication.  This guarantees that brute force
  attacks will fail, because they only use username + Password (AFAICT), not
  random private keys.

  Here is a good article on how to enable Key-based auth (may already be
  enabled), as well as how to turn Password Auth off in ssh to
  protect/eliminate ssh brute force successes.

     http://www.debuntu.org/ssh-key-based-authentication

Beckman
---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
beckman at angryox.com                                 http://www.angryox.com/
---------------------------------------------------------------------------


More information about the NANOG mailing list