Server under SSH brute force attack...please help.

Fabian_Salamanca at Dell.com Fabian_Salamanca at Dell.com
Tue Sep 25 17:27:57 CDT 2007 

Monitor your network connections, maybe the SSH comes from a known
server (the cron story)

Cheers!

-----Original Message-----
From: linux-poweredge-bounces at dell.com
[mailto:linux-poweredge-bounces at dell.com] On Behalf Of Marcus Bointon
Sent: Tuesday, September 25, 2007 5:07 PM
To: pedram at pr-sol.com
Cc: linux-poweredge-Lists
Subject: Re: Server under SSH brute force attack...please help.

On 25 Sep 2007, at 22:27, pedram at pr-sol.com wrote:

> Also, as a security tip, you may want to stop root users from logging
> in through SSH, you can do this by changing your /etc/ssh/sshd_config
> to state:
>
> PermitRootLogin no
>
> And uncomment that line, but make sure you have root access some-how
> either through sudo or su (with the root password) might require you
> to be in wheel group.

Actually there's another option; set it to:

PermitRootLogin	without-password

This is one of those options that _everybody_ does a double-take on!  
It DOESN'T mean that you can log in as root without a password! It  
means that logging in as root using a password is not allowed. By  
elimination, it means that you CAN log in as root using a public key.  
It renders you immune to password brute-forcing, but still lets you  
log in as root. Of course when it is set, it will still ask for a  
password if you try to log in without a key - no point in letting the  
hackers know they don't have a hope.

And as has been said, given that these logged events are exactly 5  
minutes apart, this looks like a cron thing, not an attack - I get  
something similar doing remote rsyncs.

Marcus
-- 
Marcus Bointon
Synchromedia Limited: Creators of http://www.smartmessages.net/
UK resellers of info at hand CRM solutions
marcus at synchromedia.co.uk | http://www.synchromedia.co.uk/

_______________________________________________
Linux-PowerEdge mailing list
Linux-PowerEdge at dell.com
http://lists.us.dell.com/mailman/listinfo/linux-poweredge
Please read the FAQ at http://lists.us.dell.com/faq

More information about the Linux-PowerEdge mailing list