SSH brute force China and Linux: best practices
Peter Beckman
beckman at angryox.com
Sat Jan 30 19:55:19 UTC 2010
On Sat, 30 Jan 2010, Bazy wrote:
> On Sat, Jan 30, 2010 at 6:47 AM, Bobby Mac <bobbyjim at gmail.com> wrote:
>
>> So after many years of a hiatus from Linux, I recently dropped XP in favour
>> of Fedora. Now that my happy windows blinders are off, I see alarming
>> things. Ugly ssh brute force, DNS server IP spoofing with scans and typical
>> script kiddie tactics.
>
> Take a look at http://www.fail2ban.org and
> http://denyhosts.sourceforge.net. I'm not Chinese but I'm sure that
> brute-force attacks come from all over the world. Here's a little from
> my logwatch.
For securing ssh, better than either of those is sshguard. fail2ban is a
Python script, as is denyhosts. Script-based services are fine, but
native compiled code is better, lower memory, less overhead.
sshguard is better because it's written in C, can read multiple log
formats, can block for many popular services (dovecot, ftp daemons, even
an imap daemon) and it works with many popular existing firewalls: pf,
netfilter, iptables, ipfw, ipfilter, tcpd, even IBM's AIX firewall.
http://www.sshguard.net/
I've run it for 3 years now, solid as a rock. Questions are quickly
answered in the mailing lists by the lead developer Mij.
Additionally, you may want to consider using SSH Key Authorization only,
and disable password authentication. This guarantees that brute force
attacks will fail, because they only use username + Password (AFAICT), not
random private keys.
Here is a good article on how to enable Key-based auth (may already be
enabled), as well as how to turn Password Auth off in ssh to
protect/eliminate ssh brute force successes.
http://www.debuntu.org/ssh-key-based-authentication
Beckman
---------------------------------------------------------------------------
Peter Beckman Internet Guy
beckman at angryox.com http://www.angryox.com/
---------------------------------------------------------------------------
More information about the NANOG
mailing list