Re: Debian SSH server configuration

[Digby Tarvin <digbyt@acm.org>]

On Wed, Apr 26, 2006 at 02:23:30PM -0400, Greg Folkert wrote:
> On Wed, 2006-04-26 at 01:58 +0100, Digby Tarvin wrote:
> > On Tue, Apr 25, 2006 at 07:23:26PM -0400, Bruce Corbin wrote:
> > > Hi All,
> [...]
> > > Any suggestions?
> > > 
> [...]
> > You still stop the black hats from trying to guess passwords
> > using your ssh server. 
> 
> Yes... yes you will. But what is the fun in making them know that they
> can't do interactive logins. Wasting time for them is so fulfilling. I
> even get to do it automatically.
> 
> I get e-mails from my machines telling me exactly how many times ID10Ts
> are trying. I get a chuckle everyone I get. keeps the day going faster
> for me.

Oh, it still goes through the motions - it doesn't tell them that their
password is not even being looked at.

Your logs will tell you what user name they tried to log in with, and
that the login was rejected because password authentication is disabled.

I also like to configure my sshd to refuse login attempts to anyone
not in a special 'ssh' group, and generally exclude any predicatable
user names like root or games from being in that group.

A quick check of my system log shows 1514 failed ssh attempts in the
last four days. For example, a attempt logged for a connection from
South Korea:

Apr 22 10:09:27 skaro sshd[8547]: User root not allowed because none of user's g
roups are listed in AllowGroups
Apr 22 10:09:27 skaro sshd[8547]: Failed password for illegal user root from 58.
120.225.134 port 59938 ssh2

What I really should do is move sshd to a non-standard port, and put a
tarpit on the normal port to really inconvenience the bozos trying
dictionary attacks..

Regards,
DigbyT
-- 
Digby R. S. Tarvin                                          digbyt(at)digbyt.com
http://www.digbyt.com