On Mon, 15 Mar 2010 11:37:35 +0000
Paul Tansom <paul@???> wrote:
> ** Andy Smith <andy@???> [2010-03-14 16:22]:
> > Hello,
> >
> > This very long email is about possible pro-active measures I could
> > take to prevent customers being compromised by SSH dictionary
> > attacks. The first part is just a recap of how we got here and what
> > happens. If you want to make it shorter by skipping that, then skip
> > to line 59 which begins with "Being compromised by an SSH dictionary
> > attack..."
> <snip>
Checking my /var/log/auth.log I realised I was getting hundreds if
not thousands of attempts to ssh into my server.
> > 1) Only use strong passwords.
I have just updated my root password to something stronger (hopefully)
as a result of this thread.
> > 2) Don't use passwords at all, only keys.
I set up a key for normal user ssh access right from the outset, I
didn't find it too difficult a task as there is plenty of 'help' just
a google away.
> > 3) Disable root login.
>
> Should be standard to my mind, although as has been said, a
> compromised Ubuntu account has sudo access with the password that has
> already been compromised.
Standard on my Debian Lenny system. I have never liked the use of
sudo with no root password as used by that other distro
> > 5) Install DenyHosts or Fail2Ban.
>
> I'd go for Fail2Ban as default personally, and it should be fairly
> easy to promote this as a benefit to hosting for the less technical
> customers. Those that are technical can easily disable it if
> preferred - again with some good documentation :)
Installed Fail2Ban this morning and hope I have set it up correctly.
My only 'complaint' so far is that I cannot do
'tail /varlog/fail2ban.log' without having to su first. I believe there
are ways round this but haven't followed this up as yet.
> > 6) Move sshd to another port.
I thought to do that as well but found it wasn't just a matter of
changing the port from 22 to summat else in /etc/ssh/sshd_config as I
couldn't then ssh in when I tested it from another terminal getting an
'unable to open port 22' error.
Thanks Andy for bringing this to our attention. 'Proper' sys-admins may
well be born knowing with this sort of stuff but us dabblers
need a bit of help from time to time.
One of these days I must have another go at use the spam filtering you
supply but don't want to end up giving you grief as I did last time ;-(
--
John Lewis
Debian & the GeneWeb genealogical data server
