It's always a good idea to move ssh not a non standard port,
so at least automated attacks are almost stopped.
André
Am 29.12.2011 15:50, schrieb Nikolay Yatsyshyn:
As a temporary solution you could use my ssh bruteforce preventing
script of iptables
I use this to prevent ssh and ftp bruteforce where AAA.BBB.CCC.DDD is
your trusted ip, which never will be blocked. This script will block
ip, if it make >3 connections per 5 minute.
iptables -N SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshbr --set
iptables -A INPUT -p tcp --dport 22 --syn -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshbr
--update --rttl --hitcount 3 --seconds 300 -j REJECT --reject-with
tcp-reset
iptables -A SSH_WHITELIST -s AAA.BBB.CCC.DDD -p tcp --dport 22 --syn
-m recent --rttl --remove
To increase security change MaxAuthTries 1 in /etc/ssh/sshd_config, so
remote user can do only 2 connection attempts with 2 password retries.
On Thu, Dec 29, 2011 at 4:33 PM, Ville Tiensuu <vi...@tiensuu.eu
<mailto:vi...@tiensuu.eu>> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
Could you please paste /var/log/auth.log message of attack?
Are you sure about it's not any bruteforce attack or similar?
I think the problem is not in SSH server itself, it's in your server's
security. Are you using weak password, and allowing direct root access
to the server via SSH?
If problem persists in your other servers, try to use fail2ban or
similar.
- -Ville
29.12.2011 16:04, Taz wrote:
> Hello, we've got various debian servers, about 15, with different
> versions. All of them have been attacked today and granted root
> access. Can anybody help? We can give ssh access to attacked
> machine, it seems to be serious ssh vulnerability.
>
> How can i contact openssh mnt?
>
> Thank you.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJO/HokAAoJEFg15w+Y7E/mDL0IAItgyj5TSWgTILUE7l/cF7PS
BwG71ypgQf/uMlsNnkbylspnvBj9edZfKfer844NvrG6yJbLw25sNI4eOLlvO1xQ
nQJHwSNPhWVRHt3gwu5QlHSv0r0qbBdcXjQXDwqG6adp8qY3Qx7BIzvU0DThb08K
Kbk0/4WcUHb7GtphJUIENPnyaC6xksb413fyT2RW3/m3xm7bRWqXH5bSAvs4/NIP
1m9oqxPO+HNnTF1U1KV+fdubLGIYeMHrskKSubBQ7U/+mn7/uhANT6Ke4XFtWsu8
Mgwr11j2/trCTxBNJvAEyjdpK2/vn+LRgNF12THOeCVFNQcgVyY+iWwGddY6IyU=
=8DkS
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
<mailto:debian-security-requ...@lists.debian.org>
with a subject of "unsubscribe". Trouble? Contact
listmas...@lists.debian.org <mailto:listmas...@lists.debian.org>
Archive: http://lists.debian.org/4efc7a24.3030...@tiensuu.eu
--
BR, Nikolay Yatsyshyn
--
Aarboard AG Phone: +41 32 332 97 14
Egliweg 10 Fax: +41 32 332 97 14
2560 Nidau
Switzerland www.aarboard.ch
