Educause Security Discussion mailing list archives
Re: significant incoming SSH volume
From: Joe Vieira <jvieira () CLARKU EDU>
Date: Tue, 16 Mar 2010 16:17:16 -0400
Hi Justin, Just some advice: I would certainly limit access to SSH to only your administrative vlans and require the vpn to SSH in. I would also disable direct root access via SSH in /etc/sshd/sshd_config PermitRootLogin no then restart SSH If that's not feasible there are ways to make iptables help you and stop brute force attacks. An example of such being -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent --name SSH --set -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 120 --hitcount 5 --rttl --name SSH -j LOG --log-prefix SSH_brute_force -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 120 --hitcount 5 --rttl --name SSH -j DROP Basically you're using the recent module to track the ip session. So when someone tries to connect on port 22 you start watching them, if they do it 5 times in 2 minutes log and drop the packet. Bingo you've got yourself a self adapting firewall. Welcome, Joe Vieira Manager Systems Administration Clark University Justin Sipher wrote:
Hello all. We have seen a drastic uptick in recent days for inbound SSH connections to many of our servers. These connection are attempting to connect to our servers as ROOT and are coming from IP addressed appearing to be mostly overseas. They number in the thousands of connections. While we are confident in the strength of our passwords, as you know with enough effort....... My questions to this group are: * Is anyone else seeing this? * Are you doing anything to address this? We are contemplating blocking SSH inbound on our firewall and requiring any external SSH connection to first connect to our VPN. In some ways it seems excessive and maybe even unsustainable. On the other hand, protecting our servers is important as you well know. Any advice, feedback, or suggestion of best practice is welcome. Best & thanks! ...Justin ________________________ Justin Sipher Chief Technology Officer Skidmore College Saratoga Springs, NY jsipher () skidmore edu <mailto:jsipher () skidmore edu> 518-580-5909
Current thread:
- significant incoming SSH volume Justin Sipher (Mar 16)
- <Possible follow-ups>
- Re: significant incoming SSH volume Joe Vieira (Mar 16)
- Re: significant incoming SSH volume Edgmand, Craig (Mar 16)
- Re: significant incoming SSH volume Michael Horne (Mar 16)
- Re: significant incoming SSH volume Joel Rosenblatt (Mar 16)
- Re: significant incoming SSH volume John Kristoff (Mar 16)
- Re: significant incoming SSH volume Mike Iglesias (Mar 16)
- Re: significant incoming SSH volume Michael J. Wheeler (Mar 16)
- Re: significant incoming SSH volume Russell Fulton (Mar 17)
- Re: significant incoming SSH volume Dexter Caldwell (Mar 17)
- Re: significant incoming SSH volume Miller, Don C. (Mar 18)
- Re: significant incoming SSH volume Michael J. Wheeler (Mar 18)
(Thread continues...)