PaulDotCom mailing list archives
Ssh break in attempt
From: j2mccluggage at adelphia.net (Jody & Jennifer McCluggage)
Date: Wed, 10 Mar 2010 23:01:31 -0500
If your SSH server is listening on the standard port (port 22), it is not unusual to see a lot of automated brute force attacks. If you have a sufficiently complex (8+, non-dictionary, avoid names of pets, children, birthdates, etc, etc) password, you should be safe from most automated brute force attacks. You logs should also record successful SSH logins. Search for any successful logins from unfamiliar IPs if you want to see if you were breached. Of course if you were breached, and someone was able to escalated their privileges, you logs are not reliable. If you want to be on the safe side, reset your passwords and follow the tips below. Here are a few tips to secure your home SSH server (all these can be done by editing the sshd_config file - don't forget to restart the sshd service after editing the file): 1. change the port that SSH is listening on. This will not stop a determined targeted attack, but will stop a lot of the automated brute force attempts. 2. Don't allow root to logon directly 3. Disable password access and use a key file instead. If this is not possible, make sure you use a complex password (I would recommend 10+ passphrase) 4. Since this is a home machine, and you are probably the only one accessing it, set the "allowed users" to your user name. That way it will only accept connections from your account name only. I hope this helps. Jody -----Original Message----- From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Brett Sent: Wednesday, March 10, 2010 6:49 PM To: pauldotcom at mail.pauldotcom.com Subject: [Pauldotcom] Ssh break in attempt I realized I haven't checked my logs on my new server ( bad me ). But I figured I wouldn't find anything, it's only my personal server. I checked the logs today to find thousands of login attempts. Most tried to brute my root password, though I don't have a root user. There were a bunch of user name attempts for what looked like a name dictionary attack. Some were from busness static ip's and there were even some from perdu.edu Now for my questions. What should I look for to find out if they actually got in? Parse the auth log for those ip's for a successfull login? I also run a web server on that machine, is there something I can look for to see If they got into that? Also is there any recourse I have? Or should I just let it go and harden my server even more? Sent from my iPhone _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Ssh break in attempt Brett (Mar 10)
- Ssh break in attempt Jody & Jennifer McCluggage (Mar 10)
- Ssh break in attempt Matt Erasmus (Mar 10)
- Ssh break in attempt Dimitrios Kapsalis (Mar 11)
- Ssh break in attempt Brett (Mar 11)
- Ssh break in attempt Joshua Smith (Mar 11)
- Ssh break in attempt Jody & Jennifer McCluggage (Mar 11)
- Ssh break in attempt PJ McGarvey (Mar 12)
- Ssh break in attempt Dimitrios Kapsalis (Mar 11)
- <Possible follow-ups>
- Ssh break in attempt iamnowonmai (Mar 10)