[wplug] Any tips against this kind of ssh break-in?

[Bill Moran]

Russ Schneider <russ at sugapablo.com> wrote:

> Occasionally, I get someone trying to break in via ssh, just hammering 
> away, I'm assuming just trying to guess passwords automatically.
> 
> Example: http://www.sugapablo.net/docs/script-02.txt

[snip]

> Any other suggestions to futher tighten things down?  What about other 
> users in the system like http, mysql, ftp, etc?  I *assume* that since 
> these users don't have (at least I don't think so) passwords associated 
> with them and sshd_config will only allow users with passwords to login 
> that they can't login.  (But I could be wrong.)

First off: Yes, sshd will not allow login to accounts without passwords
(by default anyway).  You can also disable accounts, which further
prevents login.

An additional thing you can do is to use public/private keys for login
instead of passwords.  I've yet to see anyone try to break in using
private key guessing.  You can set the accounts to not have a password.
(be very sure to keep the private key secure and not lose it).

Additionally, private keys are _considerably_ harder to guess than
passwords, so if anyone ever _does_ try to guess, they'll have a LOT more
work to do.

On the positive side, the simple act of disabling remote access to root
(in addition to a passwd file audit to ensure other system accounts are
inaccessable remotely) will probably protect you from every having this
attack used against you.  In my experience, these attacks are scripted
and not very clever.

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com