[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Any danger from these ports?



On Sat, 2005-01-08 at 22:38 +0000, Paul wrote:

[snip]

> There are few things in my logs which are suspicious...
> 
> First are a couple like this
> 
> Jan  1 22:18:35 T7 sshd[31409]: Invalid user test
> from ::ffff:70.56.41.21
> Jan  1 22:18:36 T7 sshd[31409]: Address 70.56.41.21 maps to prox.wares-
> consulting.com, but this does not map back to the address - POSSIBLE
> BREAKIN ATTEMPT!
> 
> I seem to be subjected to a dictionary attack.

  It's been going on for several months now.  Must be some kind of worm
out there, but it's harmless provided you take some precautions.

> Should I be overly worried? I've closed ssh on my router, so that's one
> line of defence in the way :-)
> 

  And that probably covers it all.  If you need ssh enabled on an
internet connected host, I would recommend at least one, maybe all of
the following:

1) Allow rsa key logins only.
2) Restrict by IP address, if possible.
3) Restrict by username if possible.
4) Run sshd on a port other than 22.
5) Use port knocking if you are really paranoid.  (Though that hasn't
   had enough field testing to trust it as the only security measure,
   for sure.)

-- 
-Paul Iadonisi
 Senior System Administrator
 Red Hat Certified Engineer / Local Linux Lobbyist
 Ever see a penguin fly?  --  Try Linux.
 GPL all the way: Sell services, don't lease secrets


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]