[wplug] Any tips against this kind of ssh break-in?

[Chester R. Hosey]

On Fri, 2005-07-15 at 07:46 -0400, Russ Schneider wrote:
> Occasionally, I get someone trying to break in via ssh, just hammering 
> away, I'm assuming just trying to guess passwords automatically.
> 
> Example: http://www.sugapablo.net/docs/script-02.txt
> 
> I have a firewall, ssh is one of the few open ports.  The firewall 
> (Netgear) does not let me block IP addresses or IP ranges.
> 
> I did notice that in sshd_config, root was allowed to login.  I just
> turned that off.
> 
> Luckily, no one has gotten in with this kind of attempt yet.  But I was 
> wondering if there were any further measures I could take to make sure it 
> never happens.
> 
> Ideally, I would think there would/should be some kind of measure I could
> take where if an IP address made X number of attempts to login and failed
> in a Y hour period, that IP address would be blocked from further login
> attempts.
> 
> Any such thing available/possible?
> 
> Any other suggestions to futher tighten things down?  What about other 
> users in the system like http, mysql, ftp, etc?  I *assume* that since 
> these users don't have (at least I don't think so) passwords associated 
> with them and sshd_config will only allow users with passwords to login 
> that they can't login.  (But I could be wrong.)

Not mentioned by others is the possibility of turning on the kernel
firewall. If you're being hit by the same host, I'd just drop all
incoming traffic to the box from that (IP|set of IPs).

If that is the case, you might also forward your logs on to the ISP
which owns the offending address(es). Your luck depends on the amount to
which the ISP's admins can be bothered to care at the moment but you may
be able to cut things off at the source. It's possible that if the
person being naughty learns that there are consequences to doing things
that they shouldn't be doing they might just decide that it isn't worth
the trouble.

Chet