attack on my server

[Jamon Camisso]

Martin Duclos wrote:
> Hi,
> I've had a number of unauthorized attempts to gain access to my server 
> as I can see from the log files.
> 
> Aug 27 02:19:50 billy sshd(pam_unix)[9375]: authentication failure; 
> logname= uid=0 euid=0 tty=ssh ruser= rhost=125.65.113.134
> 
> Aug 27 02:32:42 billy sshd(pam_unix)[9637]: authentication failure; 
> logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=59-106-23-199.r-bl100.sakura.ne.jp
> 
> I'm not convinced the isp will actually do something about it. How would 
> one proceed to keep those users off my box? I was thinking of just 
> blocking those particular networks but I'm worried of blocking too many 
> poeple.
> 
> Is there a way to address this properly?

Easiest is to move ssh from port 22 to another port, something random, 
above 1024. That or only allow key based authentication which is the 
most secure (unless someone gets a copy of your key):

Put these into your /etc/ssh/sshd_config
PasswordAuthentication no
PubkeyAuthentication yes

Make sure you have access physical access to the box before you reload 
ssh and make sure you've already created, installed, and tested your 
keys first! It sucks to lock yourself out of your own box.

Daniel Robins of Gentoo fame wrote a good couple of articles for IBM on 
ssh keys:
http://www.ibm.com/developerworks/library/l-keyc.html
http://www.ibm.com/developerworks/library/l-keyc2/

Another tool to use is fail2ban or denyhosts, but a few attempts get 
made before those tools block the offending ip. Use keys if you can. If 
you need passwords then move ssh from port 22 and install denyhosts or 
fail2ban.

Don't forget to do a whois on the ip and notify the 
abuse-IEbV4ISQ1OQLjeHjzwaQZA at public.gmane.org address :)

Jamon
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists