[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: top - ssh sessions/processes

From: Rick Stevens <rstevens internap com>
To: bret_stern machinemanagement com, Getting started with Red Hat Linux <redhat-install-list redhat com>
Cc:
Subject: Re: top - ssh sessions/processes
Date: Tue, 19 Feb 2008 09:54:15 -0800

On Sun, 2008-02-17 at 21:20 -0800, Bret Stern wrote:
> Customer just called about a Fedora 6 box with
> an active hard disk. Ran top, and found 10 - 15 ssh tasks running.
> 
> This is NOT normal for the specific machine.
> 
> So, in /etc/ssh/sshd_config
> 
> 
> I changed the listento port to 5675 and set
> 
> PermitRootLogin No
> Protocol 2
> ListenAddress   xx.xx.xx.xx  (to an internal ip address )
> 
> 
> Any ideas. Hackers...Yum update

Probably classic ssh attack.  I use these rules in iptables to block
that sorta thing:

# This rejects ssh attempts more than twice in 180 seconds...
# First, mark attempts as part of the "sshattack" group...
-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
# Optional: Include this line if you want to log these attacks...
-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck
--seconds 180 --hitcount 2 -j LOG --log-prefix "SSH REJECT: "
# Finally, reject the connection if more than one attempt is made in 180
seconds...
-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck
--seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset

If someone tries to ssh more than once in 3 minutes, it blocks their IP
for 3 minutes.  The second rule logs these occurrances.

You can tweak the timeouts by adjusting the "--seconds" parameter and
the attempts by tweaking the "--hitcount" parameter (e.g. "--seconds
300" for five minutes instead of three minutes).
 
> Which log can I look at to see WATZ-UP?

/var/log/secure is the first place.  Also the output of dmesg
and /var/log/messages.  Make sure you don't permit root ssh access
and if they want root, force them to "sudo bash" (which also creates
a syslog entry).

----------------------------------------------------------------------
- Rick Stevens, Principal Engineer             rstevens internap com -
- CDN Systems, Internap, Inc.                http://www.internap.com -
-                                                                    -
-   UNIX is actually quite user friendly.  The problem is that it's  -
-              just very picky of who its friends are!               -
----------------------------------------------------------------------

References:
- top - ssh sessions/processes
  - From: Bret Stern

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]