Hi Andy,
On Sun, March 14, 2010 8:51 am, Andy Smith wrote:
> This very long email is about possible pro-active measures I could take
> to prevent customers being compromised by SSH dictionary attacks.
Apt timing for me - I've only just joined and noticed in my logs that from
the very first day of my VPS going live I was receiving 500 login attempts
per hour (not from another Bitfolk customer however).
> 5) Install DenyHosts or Fail2Ban.
I think this approach would be a good start, although note that neither of
those support IPv6 so for those that have it enabled they'd turn a blind
eye to such connections. SSHguard (
http://www.sshguard.net) claims to
support it however I've not used it personally.
> (3) is already the case for Ubuntu of course, but not any of the other
> distributions offered. I haven't kept track of how many compromises have
> been of root and not some other user but disabling root access by SSH and
> requiring some other username seems a reasonable starting point, would at
> least limit the damage.
My Ubuntu memories are somewhat hazy however is it not the case that with
the default setup the first user is made part of the admin group? Hence,
if their password is compromised an attacker also has full superuser
rights through sudo... The attacker does of course have to be hitting the
right username so there is still some mitigation however.
Mathew
