View Single Post
Old 22nd May 2009
mwatkins mwatkins is offline
Flying Circus Master
 
Join Date: Mar 2009
Location: Vancouver
Posts: 23
Default

Quote:
Originally Posted by Mantazz View Post
Or, crawling the internet, looking for open ssh ports on any system they can get a response from. I would expect if this was the case that the attempts would come by "ssh 123.45.67.89".
I can't add anything new to this except to reiterate that this is normal behaviour and to suggest you consider implementing "pf" - info abounds including the "sticky thread" in this subforum on brute force ssh attacks.

Quote:
Originally Posted by Mantazz View Post
(a win2k box I had with cygwin sshd was once found in less than a half hour), so that is what I figure the most likely way that my server was found.
Earlier today I brought up a new virtual server running FreeBSD; within several hours auth.log reports the first attempt at breaking in, this machine from Columbia.

On another machine that has been up for some time my "ssh-offenders" table auto-populated from the pf firewall has several dozen entries already over the last week - I clear it out one in a while.

Bottom line: use public-keys for access; disable PermitRootLogin in /etc/ssh/sshd_config, and consider using PF. The latter is a good exercise even if it don't feel blocking the offenders is necessary, because you'll have gained some knowledge and will have a working packet filter config running and be able to extend it when something more serious than random brute force ssh attempts shows up.

Oh yeah... "don't worry, be happy".

There are other security fish to fry.
Reply With Quote