Date: Tue, 9 May 2006 11:24:59 -0400 (EST) From: "Ean Kingston" <ean@istop.com> To: "M. Goodell" <freebsdutah@yahoo.com>, "FreeBSD Questions" <freebsd-questions@freebsd.org> Subject: Re: System Intrustion Detection Message-ID: <20060509152507.0012017C007@www.istop.com> In-Reply-To: <20060509145403.71699.qmail@web32413.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
M, There are several choices you can make to deal with this. First, be sure your root password is 'strong'. Generally 'strong' means that it is a combination of upper case, lower case, and numbers with a decent lenght. I personally go with at least 12 characters and throw in some punctuation as well. Also, don't use real words. Second, configure your ssh daemon to only support public key authentication (PubkeyAuthentication, RSAAuthentication). This means every user need to have a public/private key pair. One part stays on the server, the other goes to the remote system and is used to authenticate with the server. This also makes the password attacks you are seeing pretty useless. Third, if your users are all coming in from a relatively small list of IP addresses, you can consider using tcpwrappers (which should have been built in to your sshd daemon). This allows you to configure the sshd daemon to only allow access from a restricted set of ip addresses (or block a specific set of addresses). This method will also stop those messages from appearing in your mail once it is set up properly. I use all three techniques. Unfortunately, I have found that I have to pretty much exclude large parts of the world from accessing my ssh server for the third option to be effective and it is getting worse. I used to have to block only a hand full of countries but I'm now seeing attempts from several continents. "M. Goodell" <freebsdutah@yahoo.com> said: > More and more each day I am seeing my root emails contain hundreds of entries like this: > > May 8 02:23:35 warpstone sshd[26092]: Failed password for root from 222.185.245.208 port 50519 ssh2 > May 8 16:37:41 warpstone ftpd[34713]: FTP LOGIN FAILED FROM 211.44.250.152, Administrator > > Basically, people are attemtpting to hack into my server often with a few thousands of attempts each day. What measures can I take to stop these attempts? Is there a way I can detect these attacks and automatically cut them off? Are any of the security ports effective against this? > > Thank you! > > M Goodell --
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060509152507.0012017C007>