Server under SSH brute force attack...please help.
Marcus Bointon
marcus at synchromedia.co.uk
Tue Sep 25 17:06:33 CDT 2007
On 25 Sep 2007, at 22:27, pedram at pr-sol.com wrote:
> Also, as a security tip, you may want to stop root users from logging
> in through SSH, you can do this by changing your /etc/ssh/sshd_config
> to state:
>
> PermitRootLogin no
>
> And uncomment that line, but make sure you have root access some-how
> either through sudo or su (with the root password) might require you
> to be in wheel group.
Actually there's another option; set it to:
PermitRootLogin without-password
This is one of those options that _everybody_ does a double-take on!
It DOESN'T mean that you can log in as root without a password! It
means that logging in as root using a password is not allowed. By
elimination, it means that you CAN log in as root using a public key.
It renders you immune to password brute-forcing, but still lets you
log in as root. Of course when it is set, it will still ask for a
password if you try to log in without a key - no point in letting the
hackers know they don't have a hope.
And as has been said, given that these logged events are exactly 5
minutes apart, this looks like a cron thing, not an attack - I get
something similar doing remote rsyncs.
Marcus
--
Marcus Bointon
Synchromedia Limited: Creators of http://www.smartmessages.net/
UK resellers of info at hand CRM solutions
marcus at synchromedia.co.uk | http://www.synchromedia.co.uk/
More information about the Linux-PowerEdge
mailing list