Re: illegal access using ssh

To: debian-user@lists.debian.org
Subject: Re: illegal access using ssh
From: "H.S." <hs.samix@gmail.com>
Date: Thu, 01 Dec 2005 14:02:10 -0500
Message-id: <[🔎] dmnhbk$3s7$1@sea.gmane.org>
In-reply-to: <[🔎] 00c601c5f68f$892bc330$b7931581@THESEXMACHINE>
References: <[🔎] 00c601c5f68f$892bc330$b7931581@THESEXMACHINE>

Amish Rughoonundon wrote:
> Hi,
> I was looking at my auth.log file and I saw a bunch of these things:
> Nov 28 16:22:41 localhost sshd[11363]: Illegal user nobody from 212.0.148.2
> 
> I was wondering if there is a way to filter the ip allowed to access the
> computer and allow only 1 ip (mine) to do so. Thanks a lot,
> Amish
> 

To deal with such kind of attacks, I have:

1. Using iptables, limited the number of ssh login attemts' rate to 5
per minute (it is my home machine and I do not have many users, so this
rate limitation does not affect me in any negative way).

2. Made sure users have strong passwords.

3. Limited who can log in via ssh by specifying the authorized uses in
sshd_config using a line similar to this:
AllowUsers tom dick harry

and restarting sshd. This line disallows all users other than Tom, Dick
and Harry.

So, even if you do not something like 1 above, the rest of the points
will keep you safe. Earlier I used to allow only certain IPs(my school
IPs) via iptables, but then I realized its limitation when I wanted to
login from my relatives computer in another city.

So, these steps in conjunction with the other suggestions you have in
other posts will make quite nice layers of security for this situation.

HTH,
->HS

Reply to:

Follow-Ups:
- Re: illegal access using ssh
  - From: Clive Menzies <clive@clivemenzies.co.uk>

References:
- illegal access using ssh
  - From: Amish Rughoonundon <axr0284@rit.edu>

Prev by Date: Re: [root user] How to disable root account?
Next by Date: Re: Now xinerma is busted (Was: Xorg Memory Leak)
Previous by thread: Re: illegal access using ssh
Next by thread: Re: illegal access using ssh
Index(es):
- Date
- Thread