how to react on ssh attacks?

[Michael A. Peters]

On Mon, 2005-10-24 at 09:49 +0000, Stephanus Fengler wrote:
> Dear list readers,
> 
> I know that this is not a security list but it seems a good starting 
> point for me as an ordinary user to ask whether someone can point me in 
> the right direction.
> 
> I recently checked my log files of my ssh service (so far as I 
> understand this is my only service open) and realized that from the very 
> same IP I got a lot of request trying to guess a user name on my system, 
> I assume. Since login name always changes in even chronological 
> alphabetical order.
> 
> So shell I worry about it or do I need to do some countermeasures?

1) Make sure root login via ssh is disabled
It's not by default.

in /etc/sshd_config

there will be a line that reads

PermitRootLogin yes

change the yes to no and then restart the sshd daemon

2) Turn it off all together if you don't need it

3) Make sure all of your password are sane.

-=-
These random attacks are pretty common - they sniff networks for open
ssh ports, and when they find one - they try root with a bunch of
passwords, and then common user names with a bunch of passwords.

It's not really something to worry about - if you have root login
disabled, any attempts to ssh in as root will fail - and they only get
in if they happen to guess a user name AND a password. That's not likely
to happen if you have good passwords on your system (ie a meaningless
combination of letters, numbers, and other characters at least 10
characters long)

-=-
If you only ssh in from specific hosts, you can limit ssh access to
those hosts only - or you can use a pass key - where the connection is
not done with passwords at all, but done with a pass phrase only - which
requires a key on the connecting machine that has been signed by your
private key.