Quote:
Originally Posted by Mantazz
Or, crawling the internet, looking for open ssh ports on any system they can get a response from. I would expect if this was the case that the attempts would come by "ssh 123.45.67.89".
|
I can't add anything new to this except to reiterate that this is normal behaviour and to suggest you consider implementing "pf" - info abounds including the "sticky thread" in this subforum on brute force ssh attacks.
Quote:
Originally Posted by Mantazz
(a win2k box I had with cygwin sshd was once found in less than a half hour), so that is what I figure the most likely way that my server was found.
|
Earlier today I brought up a new virtual server running FreeBSD; within several hours auth.log reports the first attempt at breaking in, this machine from Columbia.
On another machine that has been up for some time my "ssh-offenders" table auto-populated from the pf firewall has several dozen entries already over the last week - I clear it out one in a while.
Bottom line: use public-keys for access; disable PermitRootLogin in /etc/ssh/sshd_config, and consider using PF. The latter is a good exercise even if it don't feel blocking the offenders is necessary, because you'll have gained some knowledge and will have a working packet filter config running and be able to extend it when something more serious than random brute force ssh attempts shows up.
Oh yeah... "don't worry, be happy".
There are other security fish to fry.