Pretty sick of logs full of ssh brute forcing..

Support for security such as Firewalls and securing linux
Post Reply
Nick
Posts: 9
Joined: 2004/12/22 11:29:56
Contact:

Pretty sick of logs full of ssh brute forcing..

Post by Nick » 2006/03/31 09:17:23

So I installed denyhosts. It's working, in daemon form (as far as I can tell), I've got a lot more entries in my hosts.deny file, but now that I think about it, sshd probably isn't using tcpwrappers, as it runs as a daemon... as I still have logs full of people trying to brute force the machine.

To get sshd running with tcpwrappers, it has to be an xinetd service, correct?

Am I way off base here, or do I need to look at my sshd_config or denyhosts config a bit closer?

ixeous
Posts: 113
Joined: 2005/07/07 13:01:59

Re: Pretty sick of logs full of ssh brute forcing..

Post by ixeous » 2006/03/31 13:27:56

If the logs annoy you, I would suggest changing the ssh port in sshd_config. I've done it and it works.

Nick
Posts: 9
Joined: 2004/12/22 11:29:56
Contact:

Re: Pretty sick of logs full of ssh brute forcing..

Post by Nick » 2006/03/31 14:26:07

Yeah, but I'd prefer that the service remains, and only people who try and abuse it are caused problems.

Security through obscurity is fine, but I want a little more.

TobiasBXL
Posts: 2
Joined: 2006/03/31 13:28:58
Contact:

Re: Pretty sick of logs full of ssh brute forcing..

Post by TobiasBXL » 2006/03/31 16:40:04

There is basically a better approach than switching ports.

Disable login by password and use public/private key encryption instead.

If you can, don't blacklist IPs. Instead whitelist those that are allowed to connect.

Another method of making SSH more secure is to use S/Key.

regards,
Tobias

jdonz
Posts: 32
Joined: 2006/03/05 20:35:34
Location: Phoenix

Re: Pretty sick of logs full of ssh brute forcing..

Post by jdonz » 2006/04/09 16:54:22

I have used this [url=http://kbase.redhat.com/faq/FAQ_44_4145.shtm]KB article[/url] from Red Hat in the past. Also, I'm fairly certain that tcpwrappers is not a daemon, although I could be wrong. The easiest way to approach the issue it to only allow, or whitelist, known good hosts, like your office and home IPs, everything else gets denied. It is much easier to manage this way.

K_Frye
Posts: 425
Joined: 2005/07/13 01:48:35
Location: Canada

Re: Pretty sick of logs full of ssh brute forcing..

Post by K_Frye » 2006/04/18 20:42:57

[quote]
Nick wrote:
So I installed denyhosts. It's working, in daemon form (as far as I can tell), I've got a lot more entries in my hosts.deny file, but now that I think about it, sshd probably isn't using tcpwrappers, as it runs as a daemon... as I still have logs full of people trying to brute force the machine.

To get sshd running with tcpwrappers, it has to be an xinetd service, correct?

Am I way off base here, or do I need to look at my sshd_config or denyhosts config a bit closer?[/quote]

You want something like sshdfilter:

http://www.csc.liv.ac.uk/~greg/sshdfilter/

(Or you could just change the port sshd runs on / use whitelist only.)

CameronD
Posts: 17
Joined: 2006/04/09 13:18:32

Re: Pretty sick of logs full of ssh brute forcing..

Post by CameronD » 2006/05/07 11:44:10

[quote]
To get sshd running with tcpwrappers, it has to be an xinetd service, correct?[/quote]
No, it just has to get compiled with tcpwrappers library. It does not use xinetd. (but you can if you want)

RedHat have in the past compiled in tcpwrappers, but it appears that it is not included in CentOS 4.3.

I have never seen any ssh brute force logs. I don't allow password auth.

Post Reply

Return to “CentOS 4 - Security Support”