PaulDotCom mailing list archives

Ssh break in attempt

From: j2mccluggage at adelphia.net (Jody & Jennifer McCluggage)
Date: Wed, 10 Mar 2010 23:01:31 -0500

If your SSH server is listening on the standard port (port 22), it is not
unusual to see a lot of automated brute force attacks.  If you have a
sufficiently complex (8+, non-dictionary, avoid names of pets, children,
birthdates, etc, etc) password, you should be safe from most automated brute
force attacks.  You logs should also record successful SSH logins.  Search
for any successful logins from unfamiliar IPs if you want to see if you were
breached.  Of course if you were breached, and someone was able to escalated
their privileges, you logs are not reliable.   If you want to be on the safe
side, reset your passwords and follow the tips below. 

Here are a few tips to secure your home SSH server (all these can be done by
editing the sshd_config file - don't forget to restart the sshd service
after editing the file):

1. change the port that SSH is listening on.  This will not stop a
determined targeted attack, but will stop a lot of the automated brute force
attempts.
2. Don't allow root to logon directly
3. Disable password access and use a key file instead.  If this is not
possible, make sure you use a complex password (I would recommend 10+
passphrase)
4.  Since this is a home machine, and you are probably the only one
accessing it, set the "allowed users" to your user name.  That way it will
only accept connections from your account name only.

I hope this helps.

Jody

-----Original Message-----
From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Brett
Sent: Wednesday, March 10, 2010 6:49 PM
To: pauldotcom at mail.pauldotcom.com
Subject: [Pauldotcom] Ssh break in attempt

I realized I haven't checked my logs on my new server ( bad me ). But I
figured I wouldn't find anything, it's only my personal server. I checked
the logs today to find thousands of login attempts. Most tried to brute my
root password, though I don't have a root user. There were a bunch of user
name attempts for what looked like a name dictionary attack. Some were from
busness static ip's and there were even some from perdu.edu

Now for my questions. What should I look for to find out if they actually
got in? Parse the auth log for those ip's for a successfull login? I also
run a web server on that machine, is there something I can look for to see
If they got into that? Also is there any recourse I have? Or should I just
let it go and harden my server even more?

Sent from my iPhone
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Ssh break in attempt Brett (Mar 10)
- Ssh break in attempt Jody & Jennifer McCluggage (Mar 10)
- Ssh break in attempt Matt Erasmus (Mar 10)
  - Ssh break in attempt Dimitrios Kapsalis (Mar 11)
    - Ssh break in attempt Brett (Mar 11)
    - Ssh break in attempt Joshua Smith (Mar 11)
    - Ssh break in attempt Jody & Jennifer McCluggage (Mar 11)
    - Ssh break in attempt PJ McGarvey (Mar 12)
- Ssh break in attempt Robert Miller (Mar 11)
- <Possible follow-ups>
- Ssh break in attempt iamnowonmai (Mar 10)