Re: Is this normal?

[bp1974 () comcast net]

> Checking my logs today I was a bit surprised to find about 80 refused
> connection attempts to my sshd during the last month like:
> Oct  7 21:22:27 firewall sshd[9710]: refused connect from
> xxx.xxx.xxx.xxx
>
> I did reverse lookups on the IP's with dig and found that the attemts
> originated from a variety of hosts from Italy, Polen, Russia, Sweden and
> Pakistan to name but a few.
>
> One particular host had tried connecting 19 times with just a few
> seconds between tries (is he/she just trying different commonly used
> passwords?)
>
> Now to my questions:
> Is this Normal?
YES
> Should I be concerned?
NOT REALLY. Make sure you dont have an easily guessed password. There are freeware tools available on the net that will
generate pseudo-random, non-consonent passwords.
> Any security tips, suggestions, thoughts? (I update regularly with
> swaret (SlackwareTool), use strong random passwords, tcp wrappers)

You may already know all this ... but just to be sure ...
*Disallow root logins for ssh
*disable sshv1 and use on ssh v2
* Only allow "certain" users to access the ssh service (using AllowGroups, DenyUsers setting)
*You can try running  ssh on a non-standard port. If you are truly paranoid, you can cycle between a set of predefined 
ports on  
port on a weekly basis. :)

All these changes can be done in the ssh conf file.


> Anyone know a good guide to hardening Slackware?
> Anything else you'd like to mention?
General Hardening Tips (do a google for more)
* Disable clear text services (telnet,ssh etc.)
* Install a firewall (ipchains) with rulebase that only accepts packets from known IP addresses. (DROP not REJECT
all others)

*

> Thanks, your help is much appreciated!
>
> Best regards Erlend.