[LAD] [ot] - NEED some security advise PLEASE!

[Fernando Lopez-Lezcano]

On Sun, 2009-02-15 at 01:14 +0000, pete shorthose wrote:
> On Sun, 15 Feb 2009 00:43:17 +0100
> Fons Adriaensen <fons at kokkinizita.net> wrote:
> 
> > On Sat, Feb 14, 2009 at 11:55:13PM +0100, Julien Claassen wrote:
> > 
> > >   8226 ?        Ss     0:00 sshd: unknown [priv]
> > >   8227 ?        S      0:00 sshd: unknown [net]
> > 
> > >    Just before that I only saw "sshd [accept]" and "sshd [net]".
> > >    Shutdown sshd and made new password and restarted sshd. Now it's the same.
> > >    Can I easily check where it's coming from and what it's doing. I don't see 
> > > anything besides those two lines. No other strange processes.
> > 
> > Someone is trying a ssh login - usually from the former
> > east block - and probably trying a list of user names
> > and passwords. Do (as root) tail -50 /var/log/secure
> > to see the show.
> > 
> > It happens here all the time. As long as you don't have
> > any easily guessed user/passwd combinations the danger
> > is limited, and closing your network connection for a
> > minute usually makes them go away. Configuring sshd to
> > allow only dsa authentication is better of course.
> 
> I changed the port sshd runs on because I got sick of the
> clickety click as logs were written due to brute force login 
> attempts. Not an option for everyone but it did the trick
> nicely for me. Port knocking is another option.

Another option is a service called denyhosts, it adds entries
to /etc/hosts.deny for each host from which a defined number of failed
logins happen. So the attacking hosts are dropped out as they try
passwords and hopefully fail...

http://denyhosts.sourceforge.net/

-- Fernando