On Mon, Jul 26, 2004 at 10:28:33AM +0930, David Purton wrote:
> I just noticed a stack of failed attempts to ssh into my box as root
> over the last half an hour or so. I've now blocked the offending ip
> address, so hopefully they'll go away. Is there anything else I
> can/should do? Is it worth complaining to the owner of the subnet?
Could be any number of things, including people mistypying IP addresses,
wannabe script kiddies and you-name-it.
Complaining is unlikely to help, but it probably cannot do much harm
either. Unless of course the complaint gets relayed to the perpetrator
and he decides to DDOS you...
I guess you could tighten things up by only allowing key-based logins:
/etc/ssh/sshd.conf:
PasswordAuthentication no
UsePAM no
and make sure that you use privilege separation on ssh (which
unfortunately will break keyboard-interactive pam modules):
/etc/ssh/sshd.conf:
UsePrivilegeSeparation yes
PAMAuthenticationViaKbdInt no
Before you do this, you want to make sure that ~/.ssh/authorized_keys is
set up properly :-)
> I don't allow root to log in directly over ssh anyway, so what would a
> person gain from trying to do this?
spending 10 minutes becoming 10 minutes older? And possibly wiser?
HTH
--
Karl E. Jørgensen
karl@jorgensen.com http://karl.jorgensen.com
==== Today's fortune:
Anything is possible on paper.
-- Ron McAfee
Attachment:
signature.asc
Description: Digital signature