I just posted a GID Community blog entitled: Disabling root SSH logins.


Please let me know what you think.

__________________
Custom BB codes you can use here:
[HTML] | [C++] | [CSS] | [JAVA] | [PY] | [VB]

Good stuff! Since I only have mine set up as a testing server right now, I really didn't care about people hacking it. But it's always better to error on the safe side. Thanks!

__________________
Common Sense v2.0-Striving to make the world a little bit smarter.

A very easy way to avoid these login attempts is set the SSH port to whatever you want :

Edit sshd.config and find the lines :

#Port 22
#Protocol 2,1

Uncomment the lines and change them for example to :
Port 5353
Protocol 2

Then sit and look at your /var/logs/messages

I am actually quite pleased with all my efforts to curb SSHD abuse like this.

While modifying the config files just means that I am making it a bit harder for the person trying to break-in to the server, it doesn't stop them from trying. On a loaded server, unnecessary "traffic" like this can become a pain.

A few months back, I wrote a PHP script to run every 5 minutes, read the /var/log/messages log file and report back to me any attempts like these. Here is an example email report I received this morning (for me):


The first line just shows a line from the log file...

The second line is a link to a web site to find out relevant stuff about the IP.

The third line is something I can quickly copy and paste to block the IP from ever accessing my server.

So far so good, if I am unlucky, I get a "probe" like this once a day... On a good stretch, I get nothing for days. You should see my /etc/apf/deny_hosts.rules file now.

__________________
J de Silva
Learning Journal | GIDForums™ | GIDNetwork™ | GIDWebhosts™ | GIDSearch™

You may want to periodically empty your deny_hosts.rules file... On occassion we have had a client get themselves blocked by APF after too many failed email or FTP login attempts (BFD sends it to APF to be blocked).

But, almost as important as that is the fact that if your deny_hosts.rules gets huge... and therefore the contents of your IPchains/IPtables is very large, it can actually slow down your server as it has to parse through all the rules every time it receives a connection. It shouldn't be a problem with 50 or 100 or more entries, but if your deny_hosts.rules has entries for months or years, you may want to periodically clear it out

_______________________
Cheers,

Ronnie T. Moore, owner
Messenger: RonnieAWH
http://AlwaysWebHosting.com/ -- Friendly, feature-packed Cpanel hosting, that can't be beat!