Saturday, September 8, 2007

SSH attacks

Oh my gosh! These SSH attacks are getting worse by the minute. A few months ago I found that one of my accounts on my desktop was hacked and was sponsoring bandwidth to some IRC bots and abusive scanning. The problem was that I had setup a user with a lame password for a friend of mine so he could get used to the linux command line. Even though I asked him to change the password, he didn't and that resulted in a complaint from a server to my ISP. Having investigated a little I found a huge auth.log with some brute-force attempts at ssh password.
Yesterday I started my ssh server on the laptop and because I was very busy I left the laptop running. Today I come home to find a 300K /var/log/auth.log file (which in my opinion - for a freshly installed box with 22h of uptime is a lot). Something had to be done. I hardened my sshd config and searched for something to throttle down the attacks.

No comments: