This is a read-only archive!

SSH security woes

I checked my /var/log/messages recently and it turns out my SSH server on my home machine is being hammered with login attempts. I suppose that's pretty common and it's probably just a bunch of bots. I carefully grepped through my logs and none of the login attempts were successful (so far as I can tell), which is good. One IP tried the following usernames one after the other:

staff sales recruit alias office samba tomcat webadmin spam virus cyrus oracle michael ftp test webmaster paul guest admin linux user david web apache pgsql info tony core newsletter named visitor ftpuser username administrator library test admin guest master admin admin admin admin test test webmaster username user admin test danny alex brett mike alan data www-data http httpd pop backup info shop sales web www wwwrun adam stephen richard george john angel pgsql ident webpop susan sunny steven ssh search sara robert richard party amanda rpm sgi users admins admins dean unknown securityagent tokend windowserver appowner xgridagent agent xgridcontroller jabber amavisd clamav appserver mailman cyrusimap qtss eppc telnetd identd gnats jeff irc list eleve proxy sys zzz frank dan james snort radiomail harrypotter divine popa3d aptproxy desktop workshop mailnull nfsnobody rpcuser rpc gopher

Are there really that many people in the world using "harrypotter" as their usernames? Other common login attempts seem to be for usernames "admin" and "oracle".

I've started taking SSH security more seriously since then. I limited the number of login attempts you can make before it blocks you. I made sure root login in SSH is disabled entirely. And I have SSH listening on a non-standard port. That last one is "security though obscurity", sure, but it seems to defeat bots. I've had 0 login attempts at all since I've moved to a different port. I've had a lot of garbage connection attempts, but those are apparently bots looking for a different service since they don't provide any identification at all. My next step is probably limiting login to using a key file I'll carry around with me on a flash drive, if I can figure out how to get that working.

October 11, 2006 @ 5:21 AM PDT
Cateogory: Linux
Tags: SSH, Gnome, Gentoo

5 Comments

Steve Dibb
Quoth Steve Dibb on October 11, 2006 @ 6:27 AM PDT

Be sure to emerge and setup denyhosts. That'll kick off those nasty IPs for good.

Brian
Quoth Brian on October 11, 2006 @ 8:00 AM PDT

That looks promising. I am emerging it at we speak. Thanks.

denyhosts.com has an FAQ, and under "What steps can I take to make sshd more secure?" it lists the exact three things I said I've done already / plan to do. Looks like I'm not entirely without sense. (In this particular case.)

Brian
Quoth Brian on October 11, 2006 @ 8:03 AM PDT

Note to self: After installing and running denyhosts, DON'T purposefully fail a root SSH login to test if it works, or you will find your IP address at work added to hosts.deny. Oops. Never mind what I just said about having any sense.

Jamie
Quoth Jamie on October 11, 2006 @ 8:27 AM PDT

You should probably also look at your packet filter rules. I use NetBSD (and therefore ipf) and explicitly deny everything to port 22 except addresses I know I will be connecting from. Obviously, if you're connecting from many random addresses this isn't practical, but for most people connecting to their home boxes, SSH is generally accessed from only a few known addresses.

Also, ensure privilege separation is enabled, you have disabled SSH v1 and don't use passwords; use (as you suggest) RSA keys; it's painfully simple but prevents your password ever being captured by MITM type attacks.

numerodix
Quoth numerodix on October 12, 2006 @ 12:28 AM PDT

You should definitely set up key authentication. I had a headless box running on a non-standard box and I got rooted, someone installed a spambot and started sending out thousands of messages per minute. With key authentication this won't happen, and it beats keeping track of what ip you can login from.