I also had that problem. I decided not to change the port number, and
to live with the log noise, but to increase security I decided to deny
root access via ssh, and to Allow access to users that really require
ssh access (in my network there are more than 300 users, but only 5 need
ssh access, one of them is me). This reduces the possibility of a
successful brute force attack. Just add these lines in the sshd_config file:
PermitRootLogin no
AllowUsers <xx> <yy> <zz>
where <xx>, <yy> and <zz> are the users that REALLY require ssh access,
after checking they do not have a weak user name (like 'john' or 'mary')
and/or a weak password.
Alexandre H wrote:
> Hi,
>
> I've witnessed what I think is an increase in SSH scans over the
> Internet in the past four or five weeks. The scan seems to originate
> from various countries around the globe which makes me think of it to be
> a worm-like spreading virus searching for vulnerable systems running the
> SSH service. I confirmed the attack with a friend of mine who also
> happens to run a SSH server at home. We both live in Montreal, QC,
> Canada and are using the same ISP.
> .
> .
> .
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
Hash: SHA1
Hello Alexandre,
I also had that problem. I decided not to change the port number, and
to live with the log noise, but to increase security I decided to deny
root access via ssh, and to Allow access to users that really require
ssh access (in my network there are more than 300 users, but only 5 need
ssh access, one of them is me). This reduces the possibility of a
successful brute force attack. Just add these lines in the sshd_config file:
PermitRootLogin no
AllowUsers <xx> <yy> <zz>
where <xx>, <yy> and <zz> are the users that REALLY require ssh access,
after checking they do not have a weak user name (like 'john' or 'mary')
and/or a weak password.
Alexandre H wrote:
> Hi,
>
> I've witnessed what I think is an increase in SSH scans over the
> Internet in the past four or five weeks. The scan seems to originate
> from various countries around the globe which makes me think of it to be
> a worm-like spreading virus searching for vulnerable systems running the
> SSH service. I confirmed the attack with a friend of mine who also
> happens to run a SSH server at home. We both live in Montreal, QC,
> Canada and are using the same ISP.
> .
> .
> .
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFEDMENy9s+D7eSFvkRAkMVAJ9eNWKVftmaU3tbcUBsdlrh/RGAYACfaD5z
CN2Odgcd5/w/ysrFDUwpGsk=
=ktTN
-----END PGP SIGNATURE-----
[ reply ]