I'm not very experienced with this sort of thing so please
bear with me.
Seaming I don't know jack, please bear with me.
Checking my logs today I was a bit surprised to find about 80
refused connection attempts to my sshd during the last month
like: Oct 7 21:22:27 firewall sshd[9710]: refused connect
from xxx.xxx.xxx.xxx
It's common. They are, most likely, automated scans trying to find
vulnerable OpenSSH systems. Remember to always keep it patched. Also I
recommend that if you know where you would be logging in from, i.e. from
work, etc, to explicitly deny everything and allow access to your known
login points.
I did reverse lookups on the IP's with dig and found that the
attemts originated from a variety of hosts from Italy, Polen,
Russia, Sweden and Pakistan to name but a few.
Yep, it's time to kick them all off the Internet.
One particular host had tried connecting 19 times with just a
few seconds between tries (is he/she just trying different
commonly used
passwords?)
Automated system, yes, common passwords. Like guest, root with blank
pass, root with root, etc, etc.
Is this Normal?
Yes.
Should I be concerned?
Always.
Any security tips, suggestions, thoughts? (I update regularly
with swaret (SlackwareTool), use strong random passwords, tcp
wrappers) Anyone know a good guide to hardening Slackware?
Anything else you'd like to mention?
First, use only Version 2 of SSH. Second firewall (Netfilter or
hardware) access to SSH, allow only the host/systems you know that you
will use to gain access to SSH. Third, deny root login from SSH,
remember to only use SU or limited sudo.
Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com
Email: sjackson@horizonusa.com
Phone: (775) 858-2338
(800) 325-1199 x338
Fax: (775) 858-2330
