Is this normal? I think I'm under attack...

deltatux

deltatux

Hey guys,

I'm running a small SSH server at home. It's running FreeBSD 8.0p2 and I was just doing some routine maintenance when I spot tons of these entries in my /var/log/messages file.



Is this normal or should I be concerned as a server admin? Any server admins out there can help me how to thwart these attacks? Do I need to contact my ISP?

I do have ipfw as my firewall and it is turned on.

Cheers,
deltatux
 
This is normal. Just a scripted ssh attack. Be sure to have strong passwords for your users, don't permit root login via ssh (/etc/ssh/sshd_config) or better disable password authentication at all and only allow pubkey based auth. You might also want to change the port sshd is listening to from 22 to something else.
 
Installing security/sshguard may help. Although in this case I doubt it. It seems they're using a distributed attack these days. Meaning every login failure will be from a different IP address.
 
Thanks for the replies. Ever since I posted the original message, I have since changed my SSH port from the default 22 to something else.

I also installed something called Denyhosts. However, is the SSHGuard better than Denyhosts or they are just as effective?

Thanks,
deltatux
 
FWIW I haven't seen a single attack for more than 6 months after changing to a nondefault portnumber.
I still have denyhosts watching that port though, in case the stupid bastards starts scanning a wider portrange.
 
A very effective way to reduce the amount of attacks for me was to tell my pfSense firewall to allow only 1-2 connections per 2 seconds or so. This way, the attackers usually gave up immediately and I ended up having about 5-10 attacks a day.
As mentioned previously of course, you should not use password authentication at all but only public key authentication and access to a specified list of users.
 
Monoecus said:
A very effective way to reduce the amount of attacks for me was to tell my pfSense firewall to allow only 1-2 connections per 2 seconds or so. This way, the attackers usually gave up immediately and I ended up having about 5-10 attacks a day.
As mentioned previously of course, you should not use password authentication at all but only public key authentication and access to a specified list of users.
Click to expand...

how does this public key thingy work?

Thanks,
deltatux
 
use putty (or other ssh client) and ssh-keygen to generate keys, edit sshd_config after u get key working to disable password authentication
check out Google how to do this (you probably will need to convert keys use PuTTYgen)
 
kdemidofff said:
use putty (or other ssh client) and ssh-keygen to generate keys, edit sshd_config after u get key working to disable password authentication
check out Google how to do this (you probably will need to convert keys use PuTTYgen)
Click to expand...

then how do I login using Filezilla and such? I also use SSH on different systems and I think if I use this keygen, the keys are different for each machine I use to access SSH...

Cheers,
deltatux
 
You will have 1 private key and 1 public key
You will paste public key to servers .ssh/authorized_keys and use private key (if you generate it on freebsd you need to convert) inside putty or putty Pageant
 
Sorry for raising this thread from the grave but how do I convert it and then tell PuTTY to use the private keys?

Also, how do I apply it to .ssh/authorized_keys?

Thanks,
deltatux
 
Putty has a keygen-tool which can import OpenSSH keys.
 
There's only one putty.exe that's in my Putty folder. Sorry if I sound like a total noob but where's this keygen-tool?

Thanks,
deltatux
 
You must log in or register to reply here.
Back
Top