Topic: ssh and securiry

[b2vn]

Hi all

I have been looking some in the log files om my server, and I can see that I have 2-300 failed ssh logins every day with usernames that does not exist, and 2-300 more failed with root login.

What can I do to make this more secure?

So far I have denied root login, and created my own root user with a user name containing both upper and lower case and numbers + a strength 4 password.

I have read about sshutout, and I think it sounds briliant. I have tried to install it, it seems to be running, but the attacks continue and nothing is put in the sshutout log, so I must have done something wrong...
http://www.techfinesse.com/sshutout/sshutout.html

Anyone have an idea on how to debug sshutout, or should I try something different/better instead?

[dsemuk]

I have been looking some in the log files om my server, and I can see that I have 2-300 failed ssh logins every day with usernames that does not exist, and 2-300 more failed with root login.

I think the phrase "failed logins" says it all really, whatever you do you are still going to see failed attempts, unless your internet provider blocks SSH traffic before it gets to you.

You should be looking at only allowing SSH connections to your server from the local network.

If you really fear that someone wants to gain access to your SMEserver, you will have to completly disable SSH access.

Dave

[b2vn]

Well, I know the only way to be safe is not to be connected, but then you will also miss quite a lot of the fun

As I understand what I have read about sshutout, it sould generate firewall settings to block ips if the user has a certain number of failed logins. If those firewall settings had been generated, I wouldn't expect to see messages like this in the sshd log:
2006-07-22 20:37:33.715668500 input_userauth_request: invalid user mailman
2006-07-22 20:37:33.717384500 Could not get shadow information for NOUSER
2006-07-22 20:37:33.717388500 Failed password for invalid user mailman from 81.18.139.170 port 50490 ssh2
2006-07-22 20:37:33.717947500 Failed password for invalid user mailman from 81.18.139.170 port 50490 ssh2
2006-07-22 20:37:33.836916500 Received disconnect from 81.18.139.170: 11: Bye Bye

[byte]

I normally change the ssh port from 22 to say 2222.

[p-jones]

These are probably bruteforce ssh attacks. I got round these by

1) Allowing access only from local networks
2) Setting up a pptp conection on the remote systems.

In the server-manager, allow vpn access for the required users, in the remote access page, set local network access and define the max number of pptp connections.

pptp can get a bit flakey sometimes but for the greater part, this works well for me. It eliminated the SSH attacks, enables remote access still and keeps my sme standard.

HTH
Peter

[raem]

b2vn

> What can I do to make this more secure?

Enable public private keys & disable password access.
This has been answered a few times recently, so search on public private keys.
There is a how to as well.

[alt-network]

Has anyone have sshutout working on sme 7?

[byte]

Moving this topic to the SME Server 7.x forum, it is more appropriate there. Thanks!