Checking my logs today I was a bit surprised to find about 80 refused
connection attempts to my sshd during the last month like:
Oct 7 21:22:27 firewall sshd[9710]: refused connect from
xxx.xxx.xxx.xxx
I did reverse lookups on the IP's with dig and found that the attemts
originated from a variety of hosts from Italy, Polen, Russia, Sweden and
Pakistan to name but a few.
One particular host had tried connecting 19 times with just a few
seconds between tries (is he/she just trying different commonly used
passwords?)
Now to my questions:
Is this Normal?
YES
Should I be concerned?
NOT REALLY. Make sure you dont have an easily guessed password. There are
freeware tools available on the net that will
generate pseudo-random, non-consonent passwords.
Any security tips, suggestions, thoughts? (I update regularly with
swaret (SlackwareTool), use strong random passwords, tcp wrappers)
You may already know all this ... but just to be sure ...
*Disallow root logins for ssh
*disable sshv1 and use on ssh v2
* Only allow "certain" users to access the ssh service (using AllowGroups,
DenyUsers setting)
*You can try running ssh on a non-standard port. If you are truly paranoid,
you can cycle between a set of predefined ports on
port on a weekly basis. :)
All these changes can be done in the ssh conf file.
Anyone know a good guide to hardening Slackware?
Anything else you'd like to mention?
General Hardening Tips (do a google for more)
* Disable clear text services (telnet,ssh etc.)
* Install a firewall (ipchains) with rulebase that only accepts packets from
known IP addresses. (DROP not REJECT
all others)
*
Thanks, your help is much appreciated!
Best regards Erlend.
